Actually the bug exist during the installation process so in order to take control on the remote webserver there are condition required which an incomplete installation of the CMS.
“The WordPress ‘setup-config.php’ installation page allows users to install WordPress in local or remote MySQL databases. This typically requires a user to have valid MySQL credentials to complete. However, a malicious user can host their own MySQL database server and can successfully complete the WordPress installation without having valid credentials on the target system.
To protect your WordPress installation you need to have the latest CMS version and plugins, also it is important to apply best practices provided on the main website: http://codex.wordpress.org/Hardening_WordPress