This report is the pretty much same of my closed report here: #223355 , the difference is [BUG#2] when a user created an account BUT did not supply the password, therefor there is nothing to reauthenticate when deleting the account, it will successfully delete the account without supplying password because the user not yet set his/her password.
The removal of account is one of the sensitive part of a web application that needs to protect, therefor removing an account should validate the authenticity of the legitimate user.
I am not sure how you are going to handle this one, because reauthentication is the solution for this, but since the user not yet set his/her password, reauthentication will not work and the account can delete successfully, please consider my suggestion below.
The password creation should be enforced on the registration form, that will resolved many issues regarding the login and password reset mentioned on my other report here: #229528
When the user already have password on account registration, you don't have to touch the code of the account deletion form, you can leave it as it is since the user already have password to reauthenticate.
Let me know if you need more information or if there is anything i can help with.