This is the exact POC from the security researcher.
In the vulnerable version 1.1.0, this would have changed the .htaccess file.
In the patched version 1.1.2, this should fail.
To test: You need to be logged into WordPress as admin, then click the button above.
Expected result in v1.1.2: The attack should fail due to missing CSRF token.