The issue with the SERVER_NAME and PHP mail function allow an attacker to trick the WordPress send the password reset (crafted wp-login.php?action=lostpassword request) mail to the attackers SMTP server.
Update WordPress to the latest possible version (at least 4.7.5)