The short answer: No, Thematic is not subject to this vulnerability.
The long answer:
The XSS vulnerability comes from when the add_query_arg() function is called without the optional third parameter. The function then defaults to use $_SERVER['REQUEST_URI'] which is something that needs to be escaped before output.
Since we are sending a known safe URL to the function, we are not technically required to escape the output.
That said, I will probably add url escaping anyway. Just because it’s a good thing to do.
Thank you for bringing the issue up for everyone’s attention. It’s great that you are paying attention to security matters.