The plugin does not properly block access to the REST API users endpoint when the blog is in a subdirectory, which could allow attackers to bypass the restriction in place and list users
When the “Block access to users’ data via REST API” settings is enabled (wp-admin/admin.php?page=cerber-security&tab;=hardening) https://example.com/subdir//wp-json/wp/v2/users