Yes, usually it works in reverse. Wordpress has an insecure plugin installed that allows a php script to be uploaded and executed. This can be used to attack the Magento side of things including downloading the Magento database credentials, injection of custom administrator accounts into the Magento database, installing the Magepleasure file administration module and card information harvesting scripts.
Of course this is a two way street, if Magento is, for example, unpatched for the shoplift bug, the attacker can use a POST transaction to directly inject an administrator account into the Magento database without having Magento credentials, fire up the Magento downloader and then install the Magepleasure file administration module and once again, do anything they wish on the user account.
Totally depends on what the attacker wants to do, computer infection probably is best accomplished through a popular blog, though the last hit on Magento was using previously injected SUPEE-5344 shoplift bug created admin accounts or Magento installations still not properly patched for the various vulnerabilities to inject the GuruIncSite infection package into Magento's footer. Magento is of course of direct interest for plain old customer and credit card info theft.
To reiterate, if a plugin module for EITHER Wordpress or Magento is vulnerable to attack, then both applications can be compromised.