I only tested it on my network, but in reality, it could work anywhere. I could connect to a public hotspot and start sniffing.
As for what damage could be done; imagine being on the same network as a moderator. Anyone into causing some damage could have a bit of fun there. But at the very least, it’s a security concern, especially for people who don’t follow the “use a separate password for everything” rule.
Fortunately it seems the shop actually uses separate login credentials though (from what I’ve seen anyway; someone who’s actually used it might want to chime in), along with using HTTPS. On the other hand, how many people who have a customer account use separate credentials from that of their forum account?