The settings page for the marketo-forms-and-tracking WordPress Plugin is vulnerable to CSRF, this CSRF can be used to inject a script tag into theĀ WordPress Admin Panel, making this attack vector an authenticated XSS attack.
Proof of Concept example: