There could be one solution which I think should work in all such cases (and not only for changing the password under profile - actually with such JavaScript you could submit *any* action if user is logged in).
I have thought to put it for a long time in miniBB, but I'm just not sure if it would work and if it's not possible to hack in.
Try this: modify index.php file and after the line which says
include ($clonePath.'setup_options.php');
put this code:
if(isset($_POST) and sizeof($_POST)>0){
if(substr_count(strtolower($_SERVER['HTTP_REFERER']), strtolower($main_url))==0){
die('Sorry, it seems like an intrusion attempt or your server doesn\'t support referrers!');
}
}
Let me know if you still could repeat this bug...