Interesting! It might actually have a big impact, given how much in use the page is. And the target audience of php.net is likely to be a good target for keylogger attacks (SSH/SFTP logins and the like to development and production machines). It's certainly getting worse than I expected at first. Given how low the AV detection rate is, it would be interesting in how much impact the plugin exploits have for the overall installation base.
If you don't enable Java/Flash/etc. by default (which you definitely should not enable!) you're probably safe. If you do, well, it's sucky. I guess running a rootkit detection tool and monitoring your outgoing traffic for a while would be a good idea (and also a good food for paranoia - you'd discover how much outgoing traffic legit apps that you'd never expect talking to outside generate - version checks, usage updates, cloud syncs, etc.).
It doesn't seem to be possible to make Flash use 'click to play' on chrome. You can make all plugins 'click to play' but unfortunately that breaks any plugins that do initialization in the onload handler.
Java is now click-to-play by default, and I'm hoping that Flash goes that way soon. Flash is mostly just used for annoying adverts these days, so it won't be a great loss (and maybe that is why google is reluctant to disable it by default).