wordpress uses an insecure password reset mechanism. A user’s password reset link does not become invalidated upon a successful password change. This would allow an attacker to reset the user’s password again if the password reset link was discovered.