Defender must have had an update in the vulnerability database. Scan from last night showed: "WordPress 2.3-4.7.4 - Host Header Injection in Password Reset"
Also Defender offers to fix it but won't fix it then. It shows is as a plugin/theme problem where it really should be a Wordpress Core issue from what little I could gather on google.
Support Accèss is enabled.