In the first place they marked it N/A but once user resets it’s a password or removes attackers email from the profile, still malicious user could log in which was not intended functionality for an application. I discussed with the developer which agreed on escalating on the basis of functionality issue. So temporarily they made token verification for update email and later they fixed the whole login.
