Shouldn’t this patch also be applied to "core/model/phpthumb/phpthumb.functions.php" for Revolution? It’s not included in Revolution 2.1.1 yet.
Revo is not vulnerable to this hack due to the careful way in which it uses "connectors" to run that code.
I got my account hacked through an old phpThumb version exploit so I'm updating my phpThumb to the last version.
Unfortunately my web host doesn't have escapeshellarg() activated for my account so I was wondering if there's a way to run the last version of phpThumb without it.
If your host doesn't have escapeshellarg() activated, you should change hosts. Think about it: there's no sane reason why you'd block that function. I fully understand why they would block "exec" or "system" and the like, but why would they block this one? Bottom line is if you can't run that function, you are vulnerable to the hack.