As I understand, this plugin uses wp_rest action for nonce and it means that the nonce used is global for the whole JSON REST API. Am I correct here?
Yes, it’s not the plugin that needs the nonce, it’s WordPress itself, and it needs other things too such as cookies from an active login session, and for it to be from a user with the needed role/capabilities.
And if yes, how can I obtain this nonce value manually?
You can’t, WP gives it to you, and the nonces are unique to each person. Generating it locally would require that you have the secret key hashes from the wp-config.php file.
So you can’t steal someone elses nonce, you can’t generate it locally.
But even if you could, it only helps identify and authenticate that you are a specific user, it won’t give you permissions to do things your user can’t already do.
If You’re Already Logged In
https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/
If WP itself is localising the nonce then it’s available as:
wpApiSettings.nonce
Note that all the caveats I’ve mentioned still apply.
Having said that, I don’t think you should be asking how to exploit a WP site here. It should be enough to report to the client that they’re running vulnerable software.