The MySQL injection vulnerability you are referring (Secunia SA42369)to was kindly pointed out to us by both the finder and Secunia, and was patched in the v1.2.3 release a full week before the advisory was released to the public(the update was released 12-14-2010). The only way you should have been "hacked" by this exploit is if you have not been properly updating your script, which is entirely your fault, as THT reminds you to update every time you view the Admin CP. The only current exploit is a Cross-Site Scripting problem, which has been minimized in the current release (1.2.3) and with the proper security protocols that any webmaster should be following is not really a problem at all (log out of THT Admin CP when you are done with it, do not visit suspicious websites while logged in to the ACP)
As with any script for your website, you should maintain caution and keep in mind that THT was, and is, intended to be used for free hosts. If you are selling hosting to someone, you should make the small investment in a system such as WHMCS, which was designed for that.