CVE-2020-36753: 
WordPress vulnerability analysis and mitigation

The Hueman WordPress theme, versions up to and including 3.6.3, contains a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2020-36753. The vulnerability was discovered by Jerome Bruandet of NinTechNet and was publicly disclosed on September 26, 2020. The issue stems from missing or incorrect nonce validation in the savemetabox() function (Wordfence Intel).

The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) and has received a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The security flaw exists in the savemetabox() function where proper CSRF protection mechanisms were not implemented, allowing for potential exploitation through forged requests (NVD).

If successfully exploited, this vulnerability allows unauthenticated attackers to save metabox data through forged requests when they can convince a site administrator to perform specific actions, such as clicking on a malicious link. The impact is limited to data modification capabilities with no direct impact on confidentiality or availability (WPScan).

The vulnerability has been fixed in version 3.6.4 of the Hueman theme. Site administrators are strongly advised to update to this version or later to protect against potential CSRF attacks. The fix can be verified in the theme's source code where proper CSRF protection has been implemented (WordPress Themes).