I get where WordPress is coming from by not fixing this issue since it's an Apache thing. But since Apache's default value causes this to happen I think the framework should try to protect its users. The normal user that had their WordPress installed using an application installer on a shared host isn't going to know about this issue.
As mentioned in a previous discussion by calibas, PHP.net has this disclaimer:
"Note: Under Apache 2, you must set UseCanonicalName = On and ServerName. Otherwise, this value reflects the hostname supplied by the client, which can be spoofed. It is not safe to rely on this value in security-dependent contexts."
Fortunately, shared hosts aren't likely to be vulnerable to this attack: in that case, the Host header will be used to identify which shared site to run, so if an attacker changes it they'll get a different site. This vulnerability is only a problem if WordPress is installed as the default site (or has a dedicated IP address), in which case unknown values of the Host header will be passed directly to it.
Django has an ALLOWED_HOSTS setting, which must be provided even in debug and test configurations. I'm surprised Wordpress doesn't have a similar setting; accepting any arbitrary Host can only cause trouble (at least for those uninformed sites which don't already prevent it at the web server level).