SQL injection vulnerability in Likeshop prior to 2.5.7 allows malicious users to run abitrary SQL commands via the function OrderLogic::getOrderList function, exploited at the /admin/order/lists.html endpoint.