A new vulnerability has been found in all versions of WordPress up to and including the current release (4.7.4). This vulnerability allows attackers to utilize the password reset functionality in WordPress to obtain the password reset link.
WordPress has not yet released an update to counter exploit attempts, so in the mean time we recommend installing a plugin to disable the password reset functionality in WordPress. As always we also recommend ensuring all other plugins and the core WordPress installation are completely up to date as well.
If you require any assistance implementing these changes, please don’t hesitate to give the Secure-ISS and AppServe team.