The Stop User Enumeration plugin for WordPress has a security flaw that affects versions up to and including 1.3.8. This means that an unauthenticated attacker can use a POST request to the REST API to pretend they are sending a GET request. This allows them to find out information they should not have access to.