First of all this assumes the VPN incoming and outgoing IP is the same. This would be expected if you're using your home router as your VPN as you have only one IP but I don't think it should be for larger commercial providers, especially if you're using them to "hide you".
Then it assumes the attacker can open ports on that IP (as a feature offered by the provider). If you connect to that IP:port you'll be doing it over your normal non-encrypted interface because of the way the routing table is configured on your machine.
This is easy to prevent and if you are using the VPN to "hide" you should already have such mechanisms in place (mostly to make sure you aren't leaking packets over your normal interface once your VPN and the network interface/route associated with it is down). One way is to personal-firewall-limit your "problem" apps (like browser or torrent client) to the VPN interface so they can never talk over your normal network. This can still leak via more advanced attacks (is flash spawned as separated process?) so probably the only safe way would be to block in your (external to VPN machine) firewall EVERYTHING except vpn_ip:port.