if this is a local exploit with specially crafted .po files, it sounds like a non-issue. all translation files go through weblate before getting merged into trunk, not sure if you can drag this exploit through that.
I agree, that the security impact is not very big. So no reason to go into panic mode and do rushed decisions
The motranslator project, that I referenced offers improved speed and is actively maintained - so future problems (e.g. becoming compatible with newer PHP releases) can be solved by simply updating the local copy. Also it shouldn’t be hard to replace php-gettext with that one, since it also offers a way to use it in gettext compatibility style.