Is this code still exploitable? Certainly password over HTTP is insecure!

Stumbled upon this initially here: -http://web2.fluidhosting.com/ (webshell // stunshell exploitable - for instance)
hxtp://web2.fluidhosting.com/webshell4/login.php

You can also detect such web malware by analysing your HTTP access logs. Because these malwares depends on the HTTP protocol having your ewb server serving the requests; it should log all access and errors.
Info credits StackOverflow’s _AK.
and in the websource detected:
See: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fcp.myhsphere.cc%2Fpsoft%2Fservlet%2Fpsoft.hsphere.CP%3Faction%3Dchange_mbox_password
Re: https://urlscan.io/result/8741a984-2afb-4aba-bc01-4af2f42fdda4/dom/
Not secure: -http://cp.myhsphere.cc/psoft/servlet/psoft.hsphere.CP?action=change_mbox_password
Consider: https://www.exploit-db.com/exploits/32396/
Seems this answers the same origin rule:
susceptible to FBI Firefox Exploit for You (CVE-2013-1690) Yet Another DNS Vulnerability! .

Also see the issues: https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=cp.myhsphere.cc%2Fpsoft%2Fservlet%2Fpsoft.hsphere.CP%3Faction%3Dchange_mbox_password&ref_sel=GSP2&ua_sel=ff&fs=1 → Note: Google has been flagging sites that collect user information (passwords) over HTTP.

Also not secure connection for -https://cp.myhsphere.cc/psoft/servlet/psoft.hsphere.CP errors and backend issues…

polonus (volunteer website security analyst and website error-hunter)