It is possible to change passwords with activated 2fa, without providing the 2fa token. This is a desgin flaw. It needs to be asked every time the password is asked. Such as for password change or email change.
This is a bit tricky, we would also need to disable the ability for an account to turn off 2fa without a 2fa token, otherwise the person who hijacked the account would disable 2fa before making their changes. This could cause people to get locked out of their account. At this point though, the risks of being locked out of an account and having to contact support probably aren’t as bad as the damage a hacked account can do.
For context, changing password, email, and two-factor auth settings requires the account password. If someone is stealing a session and able to take over the account by changing its details, then they also have the account password.