Re: From where
It's not just command line usage of wget, wget can be used as a library for other programs to fetch files off the internet. If the resource being fetched is behind a login the details needed to authenticate access to that resource need to be passed to the wget processes somehow. That can be done by prepending the domain with "user:pw" in the URL or by including auth tokens in the query string at the end of the URL. Both of these could be considered sensitive data that should probably not be arbitrarily stored on disk unprotected. So any program, or script, that relies on wget could be effected by this bug.
It is worth noting that chromium is also effected by a very similar bug, and that is not an easy program to use on the command line.