The plugin within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.
PHP's allow_url_include must be set to "On"
2021-12-05 (about 6 months ago)
2021-12-09 (about 6 months ago)
2022-04-11 (about 2 months ago)