[zaroth]

What if they click the link but don't click the button? Do they need another password reset token at that point? If not, is there still an attack window there that needs to be plugged?

[mgbmtl]

The links usually expire after 24 hours (attack window), if unused.

Loading the page without clicking does not invalidate the link.

I agree this is not highly secure. It's basically one notch above sending cleartext passwords by email (which many websites unfortunately still do).