I suppose you're correct, the attacker could include the IP ranges within a small javascript loop. I was thinking about it from the perspective of having to click on a single compromised link.

But those two ranges would still miss my router. I definitely agree that most people don't change the IP at all, but then again, most people don't run third party firmware either.

A good one to get fixed as soon as possible, but not something to be terribly worried about short or long term. It should be trivial to have any open source project of this type patched quickly. Sanitizing a URL is pretty straight forward.