WordPress < 5.4.1 - Password Reset Tokens Failed to Be Properly Invalidated
When a user requested a password reset link, but did not use it and instead reset their password by logging in, the password reset link would still be usable.
This could give an attacker a larger attack window to obtain the password reset link. However, the attacker must first have access to the user's email account, which if this was the case, the attacker could just request another password reset link anyway.
Due to this, this vulnerability is a low risk and is unlikely to be exploited in the wild.