Old email links can be used to change a user’s password, so an attacker could use one of these to change a user’s password and take over the account.
Several password change requests can be sent and when a new link arrives to reset the password, the previous link (email) can still be used and is not expired.
Reproduction steps:
- Submit a request for a password reset email.
- Submit a second request for password reset.
- Notice how you can still use the first email link to reset the password.