Just thought I'd create an issue in the Bugs section after replying to this thread.
Here's my 2 minute attempt at SQL Injecting Nop.
1. Log in to admin console.
2. View all orders
http://admin-demo.nopcommerce.com/Admin/Order/List?paymentStatusId=10
Returns 6 orders
3. Change URL from above to http://admin-demo.nopcommerce.com/Admin/Order/List?paymentStatusId=10' or 1=1 --
Returns all 8 orders.
Therefore it most definitely IS vulnerable.
I couldn't find anything obvious on the front end, though I'm sure someone with a little more knowledge (and time) would more than likely find somewhere where things are left unchecked