Is this a real or merely theoretical concern?
Is it worth modifying my relevant PHP code?
Quick Joomla Security Tip: Disable PHP Execution in the Images FolderWe have been securing/cleaning Joomla websites for so long that we have identified the three-step process a malicious attacker performs to hack a Joomla website:
Disabling PHP execution in the images directory will mean that even if someone sneaked a PHP file to your images directory, it won’t be executed. In fact, when the attacker tries to execute the malicious script, he will only see the code. Nothing will happen!
http://www.itoctopus.com/quick-joomla-security-tip-disable-php-execution-in-the-images-folder