The plugin does not have CSRF checks in place when performing some administrative actions, which could result in modification of plugin settings, Denial-of-Service, as well as arbitrary image conversion
The PoC varies based on the endpoint targeted. Here is one example that will modify the website’s .htaccess file when the form is submitted by a logged in user. This converts file on C:\xampp\htdocs\png_images if WordPress is installed on C:\xampp\htdocs\wordpress, the path is relative to wp-content