OrangeHRM 4.7 allows an unauthenticated user to enumerate the valid username and email address via the forgot password function.