When any user wants to change the password, current password is asked for proceeding the request. This should also be implemented on changing the email.
Attack Scenerio : When some forget to logout from the account in a publc computer, anyone can change the email to its own and verify it. And after that using the forget password feature, it can change the password too.
Reference From : #546
Best Regards, Pratyush Janghel