[lushc]

One given example is that – in the case of the Return-Path header being maliciously set – the attacker could perform a DoS attack on the victim's mailbox so that the password reset email would be sent as part of a non-delivery receipt.

[1_player]

Also, if the victim has an auto-responder enabled, the attacker will receive an out of office reply, with the password reset link quoted in the email.

[corobo]

I've never seen an autoreply that's included the original message

[matt_morgan]

It was always rare, but it used to be more common than it is now.

[atomt]

Another way to trigger a bounce would be to have the evil domain purposefully having strict SPF and DMARC policy set.

[gondo]

this depends on recipient's (WP admin) server properly validating SPF and DMARC