Brief Description: Under specific circumstances, the password reset acknowledgement email is sent to the wrong account. Instructions: I discovered this by accident when I was experimenting with two different browsers (in this case Firefox and Chrome, but it should work with any) at the same time because I wanted to log in as Pivillean without logging out as 314. Color codes: Chrome, Firefox, email. I was logged in as 314. I requested a password reset for Pivillean. I clicked the URL I received via an email to Pivillean's address. The URL opens here because it's my default browser. I set a new password for Pivillean. I am now logged in as Pivillean instead of 314. Logging in as Pivillean using the new password works. I receive an email (see "evidence") that confirms my password reset. Logging in as 314 using my old password for 314 works, it was not changed. To summarize: I changed Pivillean's password via the URL (from Piv's email account) while I was logged in as 314. 314 received an email saying that 314's password has been changed. 314's password actually remains unchanged. Pivillean did not receive a password reset email. Pivillean's password was changed as intended. How many times did you recreate this?: Once, I haven't had enough time to test it again yet. Result: An email addressing 314 was sent to 314's email address even though Pivillean's password was reset. xenForo seems to use the name/email of whoever was logged in when the password was reset instead of using the password's owner. Expected Result: An email addressing Pivillean should be sent to Pivillean's email address because his password was reset. Evidence: Examining the 314 and Pivillean accounts shows that the .de address is associated with 314, not with Pivillean. It's even addressed to 314 even though Pivillean's password was reset.
@314 thanks for reporting. Xenforo developers have confirmed the bug and state it will be fixed in a future release. (It’s something they have fixed for the new XF2, just not for XF1.)