I just checked their pricing table and it says you can have up to 5 people. If you're positive no one accidentally invited someone at a higher permission level than they should've and positive no one somehow accidentally got upgraded permissions, then it sounds like you'd need to reach out to support to have them figure out what's causing the bug.
I know it seems crazy that someone could get higher permissions without you knowing, but I've had to implement some pretty rigorous sharing constraints for our Enterprise level account because people kept inviting people and it would send the invite at their permission level because they wouldn't double check before sending.
