Vulnerability stems from WordPress using untrusted data by default when creating a password reset e-mail. This could possibly allow the attacker to intercept the email containing the password reset link in some cases requiring user interaction as well as without user interaction. WordPress is using SERVER_NAME variable to get the hostname of the server in order to create a From/Return-Path header of the outgoing password reset email. This can be observed in the following code snippet that creates a From email header before calling a PHP mail() function:.”]
Source: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html