Re: Does anybody use phar://?
Since phar:// is a PHP construct, not a Wordpress one, whether or not you touch the GOLIATH that is WordPress is immaterial. Like it or hate it, WordPress is the most commonly used CMS on the web and we all have to deal with it on occasion even if we don't want to do so -- even if just as a website visitor.
The framework itself is actually audited and pretty stable, but I shudder whenever one of my clients wants to add a plugin.
Haven't looked at this announced vulnerability yet, but since it requires users to be authenticated AND have the ability to upload a file (presumably an image since thumbnail generation is mentioned), the vast majority of sites aren't going to be affected.