Important Insecure change password page

If anyone has a fix or plugin for this, please let me know!

I noticed today that the Kunena profile edit page (/profile/edit) is extremely insecure.

Expected behavior:

When changing a password, the user should be required to type in his or her current password. Alternatively, some other form of verification is recommended so that users don't get hacked (i.e., if User ABC leaves his account logged in on a computer and someone else accesses it, that person can then change the passwords and emails without any verification).

Current behavior:

When changing a password, the user need only type in the new password and apply.


Question: In order to resolve this, do I need to use a Joomla plugin to redo the password / registration system?

That's not really a Kunena thing. It's the way Joomla works in general. Joomla handles all of the login and password management functions, not Kunena. Community Builder uses the same password management system too. I'm not aware if JomSocial has implemented a more secure way (as you describe).

Jomsocial is the same. Do you (or does anyone) know of any core joomla components that would fix this globally (i.e., in Kunena)?