My website is on Wordpress. Say someone knows my username and password for my database. Without knowing my cPanel password or wordpress admin password, what can they possibly do with only the database username and password? And how would they do it? Like where would they log in to my database from?
If they can login to your WP dashboard they can easily delete your posted content,images,videos,theme,plugins and even add malware codes to your content post or to get revenue from publising their advertising codes, so basically they are the new owner of your WP website. What I suggest you is that you do not want to know how they do it, you only want to get more protective messures to your WP website, like adding some free WP protection tools like, Wordfence free plugin, All In One WP Security, Sucuri security, i themes security. These can harden your login page and many other protection methods to your wp website. Thank you take care.
Depends what is allowed on the host. If I had you login-information to the mysql-server, I could fire up a local mysql-suite, like HeidiSQL, input your information, and have full access to your database. From there, I could alter, insert, delete and do all kinds of bad stuff. This requires that the host allows remote logins to the database (most hosts allow this). No need for any access to cPanel or similar. Also, take note that they could replace the passwords for user-accounts, thereby gaining access to the admin-panel of wordpress (not that they'd need to, they already have access to the database), change theme-files etc. If the database contain other stuff than just the wordpress install, they would also have access to that.
Most hosts have remote connection disabled by default, however even if remote connection is disabled the bad user could still gain access potentially by creating a hosting account on the same server as your website, such as by registering an account with the web host, then use a PHP script to connect to your database from the server using your DB information. It takes a bit more work on the attacker's part, but it's doable.
I think you're overly confident in the knowledge and capabilities of most hosts... my experience is that many hosts have some form of remote access - logged, perhaps, but usually it's possible - some hosts even uses the same password, or similar passwords for accessing different parts of the server (say both FTP / SFTP and MySQL) and so forth and so on... basically, if any login-info gets out, change it - immediately!