Medium While changing passwords, site prompts for email verification code but doesn't actually require it

Description of the bug:
While attempting to change an account's password, the MapleLegends site will indicate that "You will be required to verify your account recovery process through your registered email address," and will even prompt for said verification code after entering the information required in the initial form (Login ID, PIN, Birthday, New Password, and Confirm New Password), however, one can simply not enter the emailed verification code, and the account's password will have been changed anyway.

What is supposed to happen?:
Going strictly by what the site is indicating should be the case, presumably one's password should not change until the aforementioned verification code is entered in the second, single-line form which appears after filling out the initial form to change one's password.

Where did you find and/or notice this bug?:
I noticed this bug while doing password changes for some alternate/mule accounts. Initially, I had been entering the emailed verification codes, though after a few times doing this I simply thought to abort the "change password" process prior to entering the verification code to see if it would process it anyway, and lo and behold: the password change was indeed processed. I tested this on a few other accounts afterwards to confirm this was indeed happening, and the password changes processed similarly.

A step-by-step guide to re-producing this bug:
1) log in to an account
2) select the My Account tab to open the dropdown menu
3) within the dropdown menu, select Account Recovery to navigate to said page
4) on the Account Recovery page, select the Reset Password option
5) fill out the initial form with the relevant information (including your new password), confirm you are not a robot, then select Submit at the bottom of the form
6) you will be brought to a second, single-line form which asks you to enter the verification code sent to the email address associated with this account, but instead of entering said code, simple navigate away from the page (such as by logging out of the account)
7) attempt to log in to the same account by using the new password (which now works, as the password change request was processed prior to entering the verification code)

Extra information:
While getting ready to post this, I remembered that it is possible to access the Account Recovery page without first logging in to an account (the link to the Account Recovery page is shown as a large orange button along with the Login and Create Account options on the main ML webpage). I tried the same process outlined above though without logging in to the account first and was able to change the account's password this way. Given that this is the case, an individual with malicious intent could technically change an account's password if they know the login ID, PIN, and user's birthday, as the email verification part of the process is not working correctly. After doing so, they could then change the account's associated email address (the relevant form does require one to enter the account's password), thus locking a user out of their account with no built-in recourse. While it seems unlikely that someone would know a target's login ID and PIN (birthday might be a different story unless it was intentionally setup falsely by the user to begin with), what this ultimately means is that in it's current state, all the information needed to gain access to someone's account and subsequently lock the legitimate owner out is stored within ML's servers (again, this would not be the case if email verification was working correctly). As a result of realizing that knowing an account's old password was not required to change it to something new, I bumped the thread priority/urgency from Low to Medium. I'm tempted to bump it up to High given the greater risk at hand I just outlined, but given how unlikely/rare large-scale data breaches are, I think Medium is appropriate. However, if any staff member(s) thinks this is more pressing, feel free to change the priority/urgency or hide/remove the thread entirely.