When a user wishes to change his or her password, the current password is required before the request can be processed. This should also be done when changing the email address.
Attack Scenario: If someone forgets to log out of an account on a public computer, anyone may change the email to their own and validate it. Then, using the forget password option, it may alter the password as well.
ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.