In the file /wp-content/plugins/pardot/includes/pardot-plugin-class.php, there are three references to the method convert_embed_code_https() on lines 646, 752, and 983. I have commented those out, which leaves the IFRAME’s original SRC attribute value unchanged. Note that this still requires the Pardot account owner to modify their forms (which are made available via this plugin) to be housed on a different domain than go.pardot.com, to avoid being affected by the security update on April 22.
