Vulnerability:- ->User enumeration is possible through forgot password feature.
steps to reproduce:- ->Go to the above selected domain and go to forgot password. ->You can submit a mail address and check whether it is existing in your database or not.
Remediation:- ->It should display like "if that mail address exists in our system, then we will send password reset link."
I hope that you will consider this issue as you also welcome the reports of best practices.