Yes, that’s the risk. If your WordPress registration process allows users to register and login to your site without having to confirm their email address, then users can signup with any email address that doesn’t already exist in your WordPress database.
In terms of SSO, the main risk in marking unverified email addresses as verified is that an account that exists on your Discourse site that is not yet associated with a WordPress account could be taken over.