Changing email confirmation to current email


Right now, when an email is changed on a forum, the confirmation of the new email is sent to the new email. This is good because the new email obviously needs to be confirmed, but it's also highly insecure. If a forum account was compromised, they can do everything including changing the email and password of the account.

I would like a security feature that requires a confirmation from the current email address prior to sending the confirmation to the new email address. It would look something like:

Somebody has requested to change your email address on Board Name. To authorise this change, please click here. If this wasn't you, please report this to the board staff and change your password immediately.
If possible, this could also be implemented for password changes, where a user has to confirm a new password via their current email.

Thanks :)