An issue exists in Joomla! prior to 3.9.5. The "refresh list of helpsites" endpoint of com_users lacks access checks, allowing calls from unauthenticated users.
joomla joomla\\!