change_password.php is vulnerable to Cross Site Request Forgery attacks. To prevent these type of attacks, we can include a hidden token with the form and save this token in a session before rendering the page to the user. When the user submits the form, we can compare the hidden token to our session token. Alternatively (for this particular form), we can make the user enter their current password when changing passwords.
Other forms in this project may also be vulnerable to these attacks, and a hidden token should resolve this issue. I plan on submitting a patch for change_password.php to demonstrate this fix. I have also uploaded a possible CSRF attack.