Polish security expert Dawid Golunski has discovered a zero-day in the WordPress password reset mechanism that would allow an attacker to obtain the password reset link. The issue, tracked via the CVE-2017-8295 identifier, affects all WordPress versions and is related to how WordPress sites put together password reset emails. An attacker can craft a malicious request that triggers a malicious HTTP request to trigger a tainted password reset operation by injecting a custom SERVER_NAME variable, such as “attacker-domain”””
Source: https://www.bleepingcomputer.com/news/security/wordpress-zero-day-could-expose-password-reset-emails/