Description
wp-login.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3 and 4.x before 4.0.1 might allow remote attackers to reset passwords by leveraging access to an email account that received a password-reset message.
CVSS 2.0 Base score
Medium (4.3)
Researcher
Tanoy Bose (Simultaneously and independently submitted by submitted by Momen Bassel and Bojan Slavkovic)
POC
Limited Disclosure
