WordPress 4.0.1 adds a CSRF token called ‘rp_key’ to the password reset form on wp-login.php. Prior versions are vulnerable to CSRF.
core.trac.wordpress.org/changeset/30418