Theme Park Management

• The add-attraction action is a normal POST endpoint with no CSRF token.
• You do not need to read any server response from the attacker page. You only need the victim browser to send the POST.
• Target the add_attraction.php action directly with the same field names this form uses.

The endpoint trusts any authenticated browser request and never verifies that the request originated from the application itself. That means a malicious external page can force the victim browser to submit the same POST and create a new attraction.