PHPSHE 1.7 has SQL injection via the admin.php?mod=product&act=state product_id[] parameter.
phpshe phpshe 1.7