The vulnerability stems from insufficient input validation and sanitization of the lid parameter within the /s/index.php?action=statistics file. Specifically, the application fails to properly escape or filter user-supplied input before incorporating it into an SQL query. This allows an attacker to inject malicious SQL code, which can then be executed by the database server. The lack of proper input validation allows for the execution of arbitrary SQL commands, enabling attackers to bypass authentication, retrieve sensitive data, modify database contents, or even execute commands on the underlying server if the database user has sufficient privileges.