The only people able to access the ACP are those who know the password, so that eliminates a big part of the threat. They also tend to be those who sanitize the input themselves by default. I don't see how an attacker can benefit from this unless he uses a compromised ACP.
Apologies vB. My presumption was incorrect. As I have a staff that goes through piles and piles of warnings, I do not dig deep enough to see if the software publisher was notified. We presumed by default that bugtraq or at least hackerscenter have enough sense to notified vB. Again, to vB - my apologies. A quick fix to the problem is, and in general a very good practice, to additionally restrict access to the /admincp/ folder through .htaccess.
In addition to the .htaccess file, renaming the default folder /admincp/ also helps, in case you accidently delete the command out of the file.