CVE Number – CVE-2019-12934
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress.
wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
An attacker could leverage this CSRF to include a script-tag that will execute upon CSRF, coupled with a wordpress user-create payload could potentially lead to RCE.
This plugin was closed on June 23, 2019 and is no longer available for download. But some users may still have it installed.
Plugin details & updates – https://wordpress.org/plugins/wp-code-highlightjs/#description