I think so, but even if it is, this is not a WPA vulnerability. Relating it to WPA is equivalent to claiming SSH is insecure because someone looked over your shoulder and saw what you did. It's a side-channel attack that gives you the WPA key because WPS literally hands it to you once you guess its (short) password.