diff --git a/includes/admin/class-sp-admin-setup-wizard.php b/includes/admin/class-sp-admin-setup-wizard.php
index 2ce7de36..96377ce4 100644
--- a/includes/admin/class-sp-admin-setup-wizard.php
+++ b/includes/admin/class-sp-admin-setup-wizard.php
@@ -390,7 +390,7 @@ class SP_Admin_Setup_Wizard {
     check_admin_referer( 'sp-setup' );
 
     // Add away team
-    $post['post_title'] = $_POST['away_team'];
+    $post['post_title'] = sanitize_text_field( $_POST['away_team'] );
     $post['post_type'] = 'sp_team';
     $post['post_status'] = 'publish';
     $post['tax_input'] = array();
@@ -401,7 +401,7 @@ class SP_Admin_Setup_Wizard {
     wp_insert_post( $post );
 
     // Add home team
-    $post['post_title'] = $_POST['home_team'];
+    $post['post_title'] = sanitize_text_field( $_POST['home_team'] );
     wp_insert_post( $post );
 
     wp_redirect( esc_url_raw( $this->get_next_step_link() ) );
diff --git a/includes/admin/class-sp-admin-welcome.php b/includes/admin/class-sp-admin-welcome.php
index 5b5cdbdd..db73e35a 100644
--- a/includes/admin/class-sp-admin-welcome.php
+++ b/includes/admin/class-sp-admin-welcome.php
@@ -152,13 +152,13 @@ class SP_Admin_Welcome {
       <?php
       // Save settings
         if ( isset( $_POST['timezone_string'] ) ):
-          update_option( 'timezone_string', $_POST['timezone_string'] );
+          update_option( 'timezone_string', sanitize_text_field( $_POST['timezone_string'] ) );
         update_option( 'sportspress_basic_setup', 1 );
         endif;
       if ( isset( $_POST['sportspress_sport'] ) && ! empty( $_POST['sportspress_sport'] ) ):
-        $sport = $_POST['sportspress_sport'];
+        $sport = sanitize_text_field( $_POST['sportspress_sport'] );
         SP_Admin_Sports::apply_preset( $sport );
-        update_option( 'sportspress_sport', $_POST['sportspress_sport'] );
+        update_option( 'sportspress_sport', $sport );
           delete_option( '_sp_needs_welcome' );
           update_option( 'sportspress_installed', 1 );
         ?>
diff --git a/includes/admin/importers/class-sp-event-importer.php b/includes/admin/importers/class-sp-event-importer.php
index 259fc8b9..f68069e0 100644
--- a/includes/admin/importers/class-sp-event-importer.php
+++ b/includes/admin/importers/class-sp-event-importer.php
@@ -55,10 +55,10 @@ if ( class_exists( 'WP_Importer' ) ) {
 			$rows = array_chunk( $array, sizeof( $columns ) );
 
 			// Get event format, league, and season from post vars
-			$event_format = ( empty( $_POST['sp_format'] ) ? false : $_POST['sp_format'] );
-			$league = ( sp_array_value( $_POST, 'sp_league', '-1' ) == '-1' ? false : $_POST['sp_league'] );
-			$season = ( sp_array_value( $_POST, 'sp_season', '-1' ) == '-1' ? false : $_POST['sp_season'] );
-			$date_format = ( empty( $_POST['sp_date_format'] ) ? 'yyyy/mm/dd' : $_POST['sp_date_format'] );
+			$event_format = ( empty( $_POST['sp_format'] ) ? false : sanitize_text_field( $_POST['sp_format'] ) );
+			$league = ( sp_array_value( $_POST, 'sp_league', '-1' ) == '-1' ? false : sanitize_text_field( $_POST['sp_league'] ) );
+			$season = ( sp_array_value( $_POST, 'sp_season', '-1' ) == '-1' ? false : sanitize_text_field( $_POST['sp_season'] ) );
+			$date_format = ( empty( $_POST['sp_date_format'] ) ? 'yyyy/mm/dd' : sanitize_text_field( $_POST['sp_date_format'] ) );
 
 			// Get labels from result and performance post types
 			$result_labels = sp_get_var_labels( 'sp_result' );
diff --git a/includes/admin/importers/class-sp-event-performance-importer.php b/includes/admin/importers/class-sp-event-performance-importer.php
index 8b74cc04..5bca7ed2 100644
--- a/includes/admin/importers/class-sp-event-performance-importer.php
+++ b/includes/admin/importers/class-sp-event-performance-importer.php
@@ -49,10 +49,10 @@ if ( class_exists( 'WP_Importer' ) ) {
 			$rows = array_chunk( $array, sizeof( $columns ) );
 
 			// Get event ID and team ID from post vars
-			$event = ( empty( $_POST['sp_event'] ) ? false : $_POST['sp_event'] );
-			$teams = ( empty( $_POST['sp_teams'] ) ? false : $_POST['sp_teams'] );
-			$index = ( empty( $_POST['sp_index'] ) ? false : $_POST['sp_index'] );
-			$team = ( empty( $_POST['sp_team'] ) ? false : $_POST['sp_team'] );
+			$event = ( empty( $_POST['sp_event'] ) ? false : sanitize_text_field( $_POST['sp_event'] ) );
+			$teams = ( empty( $_POST['sp_teams'] ) ? false : sanitize_text_field( $_POST['sp_teams'] ) );
+			$index = ( empty( $_POST['sp_index'] ) ? false : sanitize_text_field( $_POST['sp_index'] ) );
+			$team = ( empty( $_POST['sp_team'] ) ? false : sanitize_text_field( $_POST['sp_team'] ) );
 
 			$team_players = array( 0 );
 			$team_performance = array();
diff --git a/includes/admin/importers/class-sp-player-importer.php b/includes/admin/importers/class-sp-player-importer.php
index a480abda..84875868 100644
--- a/includes/admin/importers/class-sp-player-importer.php
+++ b/includes/admin/importers/class-sp-player-importer.php
@@ -54,7 +54,7 @@ if ( class_exists( 'WP_Importer' ) ) {
 			$rows = array_chunk( $array, sizeof( $columns ) );
 			
 			// Get Date of Birth format from post vars
-			$date_format = ( empty( $_POST['sp_date_format'] ) ? 'yyyy/mm/dd' : $_POST['sp_date_format'] );
+			$date_format = ( empty( $_POST['sp_date_format'] ) ? 'yyyy/mm/dd' : sanitize_text_field( $_POST['sp_date_format'] ) );
 
 			foreach ( $rows as $row ):
 
diff --git a/includes/admin/post-types/class-sp-admin-cpt-calendar.php b/includes/admin/post-types/class-sp-admin-cpt-calendar.php
index 49909cfb..9e023e38 100644
--- a/includes/admin/post-types/class-sp-admin-cpt-calendar.php
+++ b/includes/admin/post-types/class-sp-admin-cpt-calendar.php
@@ -110,7 +110,7 @@ class SP_Admin_CPT_Calendar extends SP_Admin_CPT {
 	    if ( $typenow != 'sp_calendar' )
 	    	return;
 
-		$selected = isset( $_REQUEST['sp_league'] ) ? $_REQUEST['sp_league'] : null;
+		$selected = isset( $_REQUEST['sp_league'] ) ? sanitize_key( $_REQUEST['sp_league'] ) : null;
 		$args = array(
 			'show_option_all' =>  __( 'Show all leagues', 'sportspress' ),
 			'taxonomy' => 'sp_league',
@@ -119,7 +119,7 @@ class SP_Admin_CPT_Calendar extends SP_Admin_CPT {
 		);
 		sp_dropdown_taxonomies( $args );
 
-		$selected = isset( $_REQUEST['sp_season'] ) ? $_REQUEST['sp_season'] : null;
+		$selected = isset( $_REQUEST['sp_season'] ) ? sanitize_key( $_REQUEST['sp_season'] ) : null;
 		$args = array(
 			'show_option_all' =>  __( 'Show all seasons', 'sportspress' ),
 			'taxonomy' => 'sp_season',
@@ -128,7 +128,7 @@ class SP_Admin_CPT_Calendar extends SP_Admin_CPT {
 		);
 		sp_dropdown_taxonomies( $args );
 
-		$selected = isset( $_REQUEST['team'] ) ? $_REQUEST['team'] : null;
+		$selected = isset( $_REQUEST['team'] ) ? sanitize_key( $_REQUEST['team'] ) : null;
 		$args = array(
 			'post_type' => 'sp_team',
 			'name' => 'team',
@@ -150,7 +150,7 @@ class SP_Admin_CPT_Calendar extends SP_Admin_CPT {
 	    if ( $typenow == 'sp_calendar' ) {
 
 	    	if ( ! empty( $_GET['team'] ) ) {
-		    	$query->query_vars['meta_value'] 	= $_GET['team'];
+		    	$query->query_vars['meta_value'] 	= sanitize_key( $_GET['team'] );
 		        $query->query_vars['meta_key'] 		= 'sp_team';
 		    }
 		}
diff --git a/includes/admin/post-types/class-sp-admin-cpt-list.php b/includes/admin/post-types/class-sp-admin-cpt-list.php
index 447c0595..dcc7f4bd 100644
--- a/includes/admin/post-types/class-sp-admin-cpt-list.php
+++ b/includes/admin/post-types/class-sp-admin-cpt-list.php
@@ -104,7 +104,7 @@ class SP_Admin_CPT_List extends SP_Admin_CPT {
 	    if ( $typenow != 'sp_list' )
 	    	return;
 
-		$selected = isset( $_REQUEST['sp_league'] ) ? $_REQUEST['sp_league'] : null;
+		$selected = isset( $_REQUEST['sp_league'] ) ? sanitize_key( $_REQUEST['sp_league'] ) : null;
 		$args = array(
 			'show_option_all' =>  __( 'Show all leagues', 'sportspress' ),
 			'taxonomy' => 'sp_league',
@@ -113,7 +113,7 @@ class SP_Admin_CPT_List extends SP_Admin_CPT {
 		);
 		sp_dropdown_taxonomies( $args );
 
-		$selected = isset( $_REQUEST['sp_season'] ) ? $_REQUEST['sp_season'] : null;
+		$selected = isset( $_REQUEST['sp_season'] ) ? sanitize_key( $_REQUEST['sp_season'] ) : null;
 		$args = array(
 			'show_option_all' =>  __( 'Show all seasons', 'sportspress' ),
 			'taxonomy' => 'sp_season',
@@ -122,7 +122,7 @@ class SP_Admin_CPT_List extends SP_Admin_CPT {
 		);
 		sp_dropdown_taxonomies( $args );
 
-		$selected = isset( $_REQUEST['team'] ) ? $_REQUEST['team'] : null;
+		$selected = isset( $_REQUEST['team'] ) ? sanitize_key( $_REQUEST['team'] ) : null;
 		$args = array(
 			'post_type' => 'sp_team',
 			'name' => 'team',
@@ -144,7 +144,7 @@ class SP_Admin_CPT_List extends SP_Admin_CPT {
 	    if ( $typenow == 'sp_list' ) {
 
 	    	if ( ! empty( $_GET['team'] ) ) {
-		    	$query->query_vars['meta_value'] 	= $_GET['team'];
+		    	$query->query_vars['meta_value'] 	= sanitize_key( $_GET['team'] );
 		        $query->query_vars['meta_key'] 		= 'sp_team';
 		    }
 		}
diff --git a/includes/admin/post-types/class-sp-admin-cpt-player.php b/includes/admin/post-types/class-sp-admin-cpt-player.php
index 8b76c152..b77f4b71 100755
--- a/includes/admin/post-types/class-sp-admin-cpt-player.php
+++ b/includes/admin/post-types/class-sp-admin-cpt-player.php
@@ -141,7 +141,7 @@ class SP_Admin_CPT_Player extends SP_Admin_CPT {
 	    	return;
 
 	    if ( taxonomy_exists( 'sp_position' ) ):
-			$selected = isset( $_REQUEST['sp_position'] ) ? $_REQUEST['sp_position'] : null;
+			$selected = isset( $_REQUEST['sp_position'] ) ? sanitize_key( $_REQUEST['sp_position'] ) : null;
 			$args = array(
 				'show_option_all' =>  __( 'Show all positions', 'sportspress' ),
 				'taxonomy' => 'sp_position',
@@ -151,7 +151,7 @@ class SP_Admin_CPT_Player extends SP_Admin_CPT {
 			sp_dropdown_taxonomies( $args );
 		endif;
 
-		$selected = isset( $_REQUEST['team'] ) ? $_REQUEST['team'] : null;
+		$selected = isset( $_REQUEST['team'] ) ? sanitize_key( $_REQUEST['team'] ) : null;
 		$args = array(
 			'post_type' => 'sp_team',
 			'name' => 'team',
@@ -162,7 +162,7 @@ class SP_Admin_CPT_Player extends SP_Admin_CPT {
 		wp_dropdown_pages( $args );
 
 	    if ( taxonomy_exists( 'sp_league' ) ):
-			$selected = isset( $_REQUEST['sp_league'] ) ? $_REQUEST['sp_league'] : null;
+			$selected = isset( $_REQUEST['sp_league'] ) ? sanitize_key( $_REQUEST['sp_league'] ) : null;
 			$args = array(
 				'show_option_all' =>  __( 'Show all leagues', 'sportspress' ),
 				'taxonomy' => 'sp_league',
@@ -173,7 +173,7 @@ class SP_Admin_CPT_Player extends SP_Admin_CPT {
 		endif;
 
 	    if ( taxonomy_exists( 'sp_season' ) ):
-			$selected = isset( $_REQUEST['sp_season'] ) ? $_REQUEST['sp_season'] : null;
+			$selected = isset( $_REQUEST['sp_season'] ) ? sanitize_key( $_REQUEST['sp_season'] ) : null;
 			$args = array(
 				'show_option_all' =>  __( 'Show all seasons', 'sportspress' ),
 				'taxonomy' => 'sp_season',
@@ -198,7 +198,7 @@ class SP_Admin_CPT_Player extends SP_Admin_CPT {
 		if ( $typenow == 'sp_player' ) {
 
 			if ( ! empty( $_GET['team'] ) ) {
-				$query->query_vars['meta_value'] 	= $_GET['team'];
+				$query->query_vars['meta_value'] 	= sanitize_key( $_GET['team'] );
 				$query->query_vars['meta_key'] 		= 'sp_team';
 			}
 		}
diff --git a/includes/admin/post-types/class-sp-admin-cpt-staff.php b/includes/admin/post-types/class-sp-admin-cpt-staff.php
index 2116e999..0a9ae880 100644
--- a/includes/admin/post-types/class-sp-admin-cpt-staff.php
+++ b/includes/admin/post-types/class-sp-admin-cpt-staff.php
@@ -119,7 +119,7 @@ class SP_Admin_CPT_Staff extends SP_Admin_CPT {
 	    if ( $typenow != 'sp_staff' )
 	    	return;
 
-		$selected = isset( $_REQUEST['team'] ) ? $_REQUEST['team'] : null;
+		$selected = isset( $_REQUEST['team'] ) ? sanitize_key( $_REQUEST['team'] ) : null;
 		$args = array(
 			'post_type' => 'sp_team',
 			'name' => 'team',
@@ -129,7 +129,7 @@ class SP_Admin_CPT_Staff extends SP_Admin_CPT {
 		);
 		wp_dropdown_pages( $args );
 
-		$selected = isset( $_REQUEST['sp_league'] ) ? $_REQUEST['sp_league'] : null;
+		$selected = isset( $_REQUEST['sp_league'] ) ? sanitize_key( $_REQUEST['sp_league'] ) : null;
 		$args = array(
 			'show_option_all' =>  __( 'Show all leagues', 'sportspress' ),
 			'taxonomy' => 'sp_league',
@@ -138,7 +138,7 @@ class SP_Admin_CPT_Staff extends SP_Admin_CPT {
 		);
 		sp_dropdown_taxonomies( $args );
 
-		$selected = isset( $_REQUEST['sp_season'] ) ? $_REQUEST['sp_season'] : null;
+		$selected = isset( $_REQUEST['sp_season'] ) ? sanitize_key( $_REQUEST['sp_season'] ) : null;
 		$args = array(
 			'show_option_all' =>  __( 'Show all seasons', 'sportspress' ),
 			'taxonomy' => 'sp_season',
@@ -159,7 +159,7 @@ class SP_Admin_CPT_Staff extends SP_Admin_CPT {
 	    if ( $typenow == 'sp_staff' ) {
 
 	    	if ( ! empty( $_GET['team'] ) ) {
-		    	$query->query_vars['meta_value'] 	= $_GET['team'];
+		    	$query->query_vars['meta_value'] 	= sanitize_key( $_GET['team'] );
 		        $query->query_vars['meta_key'] 		= 'sp_team';
 		    }
 		}
diff --git a/includes/admin/post-types/class-sp-admin-cpt-table.php b/includes/admin/post-types/class-sp-admin-cpt-table.php
index 94404306..2e9cf855 100644
--- a/includes/admin/post-types/class-sp-admin-cpt-table.php
+++ b/includes/admin/post-types/class-sp-admin-cpt-table.php
@@ -86,7 +86,7 @@ class SP_Admin_CPT_Table extends SP_Admin_CPT {
 	    if ( $typenow != 'sp_table' )
 	    	return;
 
-		$selected = isset( $_REQUEST['sp_league'] ) ? $_REQUEST['sp_league'] : null;
+		$selected = isset( $_REQUEST['sp_league'] ) ? sanitize_key( $_REQUEST['sp_league'] ) : null;
 		$args = array(
 			'show_option_all' =>  __( 'Show all leagues', 'sportspress' ),
 			'taxonomy' => 'sp_league',
@@ -95,7 +95,7 @@ class SP_Admin_CPT_Table extends SP_Admin_CPT {
 		);
 		sp_dropdown_taxonomies( $args );
 
-		$selected = isset( $_REQUEST['sp_season'] ) ? $_REQUEST['sp_season'] : null;
+		$selected = isset( $_REQUEST['sp_season'] ) ? sanitize_key( $_REQUEST['sp_season'] ) : null;
 		$args = array(
 			'show_option_all' =>  __( 'Show all seasons', 'sportspress' ),
 			'taxonomy' => 'sp_season',
@@ -104,7 +104,7 @@ class SP_Admin_CPT_Table extends SP_Admin_CPT {
 		);
 		sp_dropdown_taxonomies( $args );
 
-		$selected = isset( $_REQUEST['team'] ) ? $_REQUEST['team'] : null;
+		$selected = isset( $_REQUEST['team'] ) ? sanitize_key( $_REQUEST['team'] ) : null;
 		$args = array(
 			'post_type' => 'sp_team',
 			'name' => 'team',
@@ -126,7 +126,7 @@ class SP_Admin_CPT_Table extends SP_Admin_CPT {
 	    if ( $typenow == 'sp_table' ) {
 
 	    	if ( ! empty( $_GET['team'] ) ) {
-		    	$query->query_vars['meta_value'] 	= $_GET['team'];
+		    	$query->query_vars['meta_value'] 	= sanitize_key( $_GET['team'] );
 		        $query->query_vars['meta_key'] 		= 'sp_team';
 		    }
 		}
diff --git a/includes/admin/post-types/class-sp-admin-cpt-team.php b/includes/admin/post-types/class-sp-admin-cpt-team.php
index 16d9b451..8163ec61 100644
--- a/includes/admin/post-types/class-sp-admin-cpt-team.php
+++ b/includes/admin/post-types/class-sp-admin-cpt-team.php
@@ -107,7 +107,7 @@ class SP_Admin_CPT_Team extends SP_Admin_CPT {
 	    if ( $typenow != 'sp_team' )
 	    	return;
 
-		$selected = isset( $_REQUEST['sp_league'] ) ? $_REQUEST['sp_league'] : null;
+		$selected = isset( $_REQUEST['sp_league'] ) ? sanitize_key( $_REQUEST['sp_league'] ) : null;
 		$args = array(
 			'show_option_all' =>  __( 'Show all leagues', 'sportspress' ),
 			'taxonomy' => 'sp_league',
@@ -116,7 +116,7 @@ class SP_Admin_CPT_Team extends SP_Admin_CPT {
 		);
 		sp_dropdown_taxonomies( $args );
 
-		$selected = isset( $_REQUEST['sp_season'] ) ? $_REQUEST['sp_season'] : null;
+		$selected = isset( $_REQUEST['sp_season'] ) ? sanitize_key( $_REQUEST['sp_season'] ) : null;
 		$args = array(
 			'show_option_all' =>  __( 'Show all seasons', 'sportspress' ),
 			'taxonomy' => 'sp_season',
diff --git a/includes/admin/settings/class-sp-settings-text.php b/includes/admin/settings/class-sp-settings-text.php
index 4bf5347e..20e09499 100644
--- a/includes/admin/settings/class-sp-settings-text.php
+++ b/includes/admin/settings/class-sp-settings-text.php
@@ -67,7 +67,7 @@ class SP_Settings_Text extends SP_Settings_Page {
 	 */
 	public function save() {
 		if ( isset( $_POST['sportspress_text'] ) )
-	    	update_option( 'sportspress_text', $_POST['sportspress_text'] );
+	    	update_option( 'sportspress_text', array_map( 'sanitize_text_field', $_POST['sportspress_text'] ) );
 	}
 }