Description

Generally, when users try to change the password, they are asked to verify the request by entering the old password. For the same reason, verification should be there on changing email.

when user changes the email address then the website sends verification mail to the new mail id without asking current password or sending confirm code to the old email id.

Proof of Concept

1. Go to https://demo.kavitareader.com/preferences#account
2. enter new email id (any fake email)
3. a new message pop-up confirms that a verification sent to the new email
4. notice that there is no password confirmation during this sensitive action 

Mitigation: There must be a password confirmation on sensitive actions like email change