Dropcontact: User can Subscribe a plan that is hidden by manipulating the value of "subscription" parameter at [ https://app.dropcontact.io/app/checkout/]

When login into dropcontact, going into subscription and clicking on some plan, you have the id of the plan in the url, someone could see hidden plan by changing this parameter...