The password reset uses $_SERVER[‘HTTP_HOST’] to generate the password without any checks or filtering. Allowing a malicious attacker to generate a fake password reset link to steal password reset tokens which may lead to account takeover
Account Takeover