Captchas are usually used to prevent robots to make an action instead of humans. It should add an extra layer of security but badly configured it could lead to unauthorized access…
When you try to submit the form without providing a captcha code, you get the following error:
Try to submit an empty password and take a look to the HTTP request and her parameters, you can notice the strange variable
This variable is the step in the change password functionnality.
So if you simply change it to
2 and replay the request with this new value, it works perfectly.