An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress.
wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
An attacker could leverage this CSRF to include a script-tag that will execute upon CSRF, coupled with a wordpress user-create payload could potentially lead to RCE.
Proof of Concept:
where poc.js could be a payload similar to:
https://github.com/hakluke/weaponised-XSS-payloads/blob/master/wordpress_create_admin_user.js