Today, Django released security patch updates for all of its supported versions. These address an account hijack vulnerability with Django’s password reset form. We strongly recommend you have a look at websites where the password reset form might be in use to confirm whether they are vulnerable or not, and if so, upgrade Django or remove the form.
This vulnerability also affects Wagtail’s password reset form, which is built on top of Django’s own form. All you need to do is upgrade Django to one of the versions released today, which include the fix. No Wagtail upgrade needed.
If upgrading isn’t an option for you, consider disabling password resets in the meantime with the WAGTAIL_PASSWORD_RESET_ENABLED setting.