This flaw gave attackers the ability to forge requests on behalf of an administrator in order to modify arbitrary theme files and create new PHP files, which could allow an attacker to achieve remote code execution (RCE) on a vulnerable site’s server.
The following will create hello.php in the /twentytwenty theme directory. You can just swap out sub_cmd and theme files for the other AJAX actions.