There are multiple vulnerabilities in WordPress wp-login.php, such as cross site scripting, denial of service attacks, hash comparison, SSRF, CSRF. Because of these vulnerabilities, attackers can reset passwords by leveraging access to an e-mail account that received a password-reset message.
Related records:
http://db.threatpress.com/vulnerability/wordpress/wordpress-4-0-0-multiple-vulnerabilities-2
Update WordPress.