Yes, it's trivial. Once the attacker is on the WLAN, they can easy attack any device on the WLAN/LAN, including the router. As to how, they could:
- Try the defaults username/password. Most users never change these.
- Grab the password via a sniffer.
- Grab SNMP private data via a sniffer.
- Brute force the router's logon.