Another security issue that I just found: When saving a new password under User Account Settings page, the old password is not required.
This is also bad. A malicious party who has stolen a logged in session can take away access from the original user completely by changing his/her password.