Your customizing, right ?

Use https://pfsense.yourlan.tld/system_usermanager.php as an example.

Normally, when you use a page like "https://pfsense.yourlan.tld/system_usermanager.php" you should be logged in.
But, as you create your won "user edit" page, you could throw away that need. Just borrow (copy) the code you need to update the user's settings - the 'saving part is happening after the line that says :

if ($_POST['save'] && !$read_only) {

Something like : have to look up the user ID first, and if it exists, compare the old password with what the user entered (first "old" password box) and if there is a match, update the user's password with what he entered in the "new" password second box.
This way, you allow only known users to change their own password.