@mishre discovered a way to update an organization from a free plan to a paid team plan with any number of seats without having provided billing information. By adding the organization plan attributes to the request made when updating profile information, the organization’s plan would be changed without any billing validation. We addressed the vulnerability by passing the user-supplied parameters through a whitelist of attributes allowed for a profile update.