Description The plugin does not have authorisation and CSRF in various function hooked to admin_init, allowing unauthenticated users to call them and unlink arbitrary users Instagram Account for example
As unauthenticated, open the following URL to unlink the Instagram account of the user with ID 5:
https://example.com/wp-admin/admin-post.php?action=enjoyinstagram-remove-user&user_id=5&tab=users-settings