When classifying a remote user vulnerability, I think you should have two priority levels that distinguish between those that can be exploited remotely via SQL language statements submitted through the official client libraries, and those that require maliciously written client libraries or a direct network connection to mysql server.

The former class are more serious as they can be exploited through SQL injection in a poorly written client application, or having a mysql account on a shared server, rather than requiring code written by the exploiter to directly connect to the server, which in most cases network security would prevent happening.