It’s feasible and has been used in various 0day exploits in the last few years. It’s getting significantly rarer nowadays but media player exploits leading to RCE has been a staple of malware distribution for a long while.
It’s just much easier to make a malicious word macro and hope the user isn’t careful than to research/identify an exploitable bug in a media player.