A researcher reported a WordPress Password Reset vulnerability, tracked as CVE-2017-8295, and detailed it in a security advisory. The issue is caused by the fact that WordPress uses a variable named SERVER_NAME to obtain the hostname of a server when setting the From/Return-Path header in password reset emails sent to users. The vulnerability affects all versions of WordPress, including the 4.7.4 version released a couple of weeks ago. An attacker can force a password reset by sending a specially crafted request to the targeted WordPress site.”]
Source: https://securityaffairs.co/wordpress/58749/hacking/wordpress-password-reset-vulnerability.html