The master process has to in order to bind to port 80, traditionally (i.e. if you don't run it on a high port and have the front end firewall forward port 80 to it). I believe they are saying the unprivileged child process can gain execution in the parent context, and to do that you just need a vulnerability in whatever the child does e.g. an over flow in mod_php or whatever.
Biting the hand that feeds IT
