Even if people could get this to work, I'm not sure it's even half as bad as it sounds. You'd still have to:
- have your apps installed on the SD card
- have granted at least one of those apps "interesting" permissions
- physically hand your phone or SD card over to someone who knows about this vulnerability, has the necessary skills to exploit it (which seemingly nobody has), and give them enough time to do so.
Even if all this were to happen, the rogue app is still confined to it's own sandbox, so how much damage can it do? It might be able to delete all the files that belonged to the original app, but that's pretty much the end of it.
Sure, definitely not good, and it needs to be patched, but it doesn't look like something anybody at XDA can actually pull off, even if they did get their hands on your phone.