1) The problem →
If a user is signed into a website and this account is through Memberstack, anyone could go into their profile modal (with access to their computer) and change the email with no verification in place.
2) Why is this important →
If a user is paying for a subscription service of some kind and their account is stolen from them in some way va email change in the profile modal, they have no security in place to prevent it from happening. They don't have an option to confirm this change.
3) What's your plan B →
4) Possible solutions we could build for you →
An extra step when a user changes their email which would require them to confirm this change from their email. Memberstack currently only sends out a password reset email, but it also needs an email change confirmation one too.