1. The application misses server-side checks allowing me to bypass the requirement of providing Current/Original Password.
2. The server do not restrict the use of parameterized GET request to update the profile. However, it seems the application logic has validation in place for POST request as the developer might not be expecting things to come through GET request (General Mistakes)

Long Story Short: Restriction for GET Request and Server Side Checks were not implemented properly.

I hope that helps.