It “seems" it would be an easy fix.  According to the original poster it says he alerted the development team.

I searched the archive and maybe he private messaged a couple developers?

The bug would have very low probability of exploit. You would have to be logged into an existing phpmyadmin session and simultaneously trick the user to click on a link while in the setup stage.

Thought I would post here that the bug is publicly posted.

Thanks,

Todd

P.S.  Enjoy phpmyadmin.  Been using it off and on over a decade.