I Found Account Takeover via CSRF and Password Reset Function .
There is no protection against CSRF in changing email which lead to CSRF to account takeover
It is a critical issue as i was able to takeover anyone account using this attack. This vulnerability is high/critical because I was able to perform account takeover
now I just forward the above request and csrf code worked.so by this exploit, I changed victim account to my email .
Last step to account tackeover using the forgot password method to retrieve the password reset link to my email and I have full control over the victim’s account.