diff --git a/inc/Forms/AdminPageForms.php b/inc/Forms/AdminPageForms.php
index 4392823..16ec57b 100644
--- a/inc/Forms/AdminPageForms.php
+++ b/inc/Forms/AdminPageForms.php
@@ -121,7 +121,8 @@ public static function ControlForm( $sectionKey ) {
         <form method="post" action="options.php" class="wpcui-control-form">
 			<?= self::FormAction( $action ); ?>
             <input type="hidden" name="section" value="<?= $sectionKey ?>">
-            <input type="hidden" name="old_control_id" value="<?= $_POST[AdminFormStatus::EditControl] ?>">
+            <input type="hidden" name="old_control_id"
+                   value="<?= sanitize_text_field( $_POST[ AdminFormStatus::EditControl ] ) ?>">
 			<?php
 			settings_fields( 'wpcui' );
 			do_settings_sections( 'wpcui-control' );
diff --git a/inc/Services/AdminFormStatusService.php b/inc/Services/AdminFormStatusService.php
index d85828a..261d08e 100644
--- a/inc/Services/AdminFormStatusService.php
+++ b/inc/Services/AdminFormStatusService.php
@@ -45,7 +45,7 @@ public static function IsEditControl() {
 	 */
 	public static function IsEditControlForSection( $sectionId ) {
 		if ( isset( $_POST[ AdminFormStatus::EditControl ] ) ) {
-			$control = DataService::getControlById( $_POST[ AdminFormStatus::EditControl ] );
+			$control = DataService::getControlById( sanitize_text_field( $_POST[ AdminFormStatus::EditControl ] ) );
 
 			return $control['section'] == $sectionId;
 		}
diff --git a/inc/Services/AdminSanitizerService.php b/inc/Services/AdminSanitizerService.php
index 8876562..8fa7a19 100644
--- a/inc/Services/AdminSanitizerService.php
+++ b/inc/Services/AdminSanitizerService.php
@@ -23,7 +23,7 @@ public function sanitizeSettings( $input ): array {
 		$settings = DataService::getSettings();
 
 		if ( array_key_exists( 'wpcui_action', $_POST ) ) {
-			switch ( $_POST['wpcui_action'] ) {
+			switch ( sanitize_text_field( $_POST['wpcui_action'] ) ) {
 				case AdminPageFormActions::CreateNewSection:
 					$settings = $this->sanitizeNewSection( $input, $settings );
 					break;
@@ -161,7 +161,7 @@ private function sanitizeUpdateControl( $input, $settings ) {
 			return $settings;
 		}
 
-		$oldControlId = $_POST['old_control_id'];
+		$oldControlId = sanitize_text_field( $_POST['old_control_id'] );
 
 		foreach ( $settings['sections'] as $sectionKey => $section ) {
 			foreach ( $section['controls'] as $control ) {
diff --git a/inc/Services/AdminSettingsService.php b/inc/Services/AdminSettingsService.php
index 36df649..9e3d65d 100644
--- a/inc/Services/AdminSettingsService.php
+++ b/inc/Services/AdminSettingsService.php
@@ -68,7 +68,7 @@ private function addControlSettings() {
 		$existingControl = null;
 		if ( AdminFormStatusService::IsEditControl() ) {
 			$title           = 'Edit Control';
-			$existingControl = DataService::getControlById( esc_attr( $_POST[AdminFormStatus::EditControl] ) );
+			$existingControl = DataService::getControlById( sanitize_text_field( $_POST[ AdminFormStatus::EditControl ] ) );
 		}
 
 		add_settings_section(