diff --git a/src/user/profile.js b/src/user/profile.js
index 4eea3ee22a..38a8083648 100644
--- a/src/user/profile.js
+++ b/src/user/profile.js
@@ -280,13 +280,18 @@ module.exports = function (User) {
 		}
 		let isAdminOrPasswordMatch = false;
 		const isSelf = parseInt(uid, 10) === parseInt(data.uid, 10);
+
+		if (!isAdmin && !isSelf) {
+			throw new Error('[[user:change_password_error_privileges]]');
+		}
+
 		if (
 			(isAdmin && !isSelf) || // Admins ok
 			(!hasPassword && isSelf)	// Initial password set ok
 		) {
 			isAdminOrPasswordMatch = true;
 		} else {
-			isAdminOrPasswordMatch = await User.isPasswordCorrect(uid, data.currentPassword, data.ip);
+			isAdminOrPasswordMatch = await User.isPasswordCorrect(data.uid, data.currentPassword, data.ip);
 		}
 
 		if (!isAdminOrPasswordMatch) {