Hi,
I noticed that the public Decent Comments REST endpoint exposes stable Gravatar hashes derived from commenter emails and allows ordering by comment_author_email.
Even though raw emails aren’t returned, this enables identity correlation and metadata inference without authentication.
This looks like an unintentional privacy leak and might be worth restricting or normalizing.
Thanks for the great plugin.
