diff --git a/inc/checkout/signup-fields/field-templates/class-base-field-template.php b/inc/checkout/signup-fields/field-templates/class-base-field-template.php
index 69f9587..8175dcb 100644
--- a/inc/checkout/signup-fields/field-templates/class-base-field-template.php
+++ b/inc/checkout/signup-fields/field-templates/class-base-field-template.php
@@ -153,7 +153,7 @@ class Base_Field_Template {
 				$attributes = $signup_field->reduce_attributes($attributes);
 			}
 
-			$markup = sprintf('<dynamic :template="get_template(\'%s\', %s)"></dynamic>', esc_js($this->id), esc_attr(json_encode($attributes)));
+			$markup = sprintf('<dynamic :template="get_template(\'%s\', %s)"></dynamic>', esc_js($this->id), esc_attr(wp_json_encode($attributes)));
 		} else {
 			$markup = $this->render($attributes);
 		}
diff --git a/inc/class-admin-notices.php b/inc/class-admin-notices.php
index bbe2a55..9e02c4f 100644
--- a/inc/class-admin-notices.php
+++ b/inc/class-admin-notices.php
@@ -57,9 +57,7 @@ class Admin_Notices {
 
 		$dismissed = get_user_meta(get_current_user_id(), 'wu_dismissed_admin_notices', true);
 
-		$dismissed = $dismissed ?: [];
-
-		return $dismissed;
+		return $dismissed ?: [];
 	}
 
 	/**
@@ -184,14 +182,14 @@ class Admin_Notices {
 	 */
 	public function ajax_dismiss_admin_notices(): void {
 
-		if ( ! wp_verify_nonce($_POST['nonce'], 'wu-dismiss-admin-notice')) {
+		if ( ! wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'] ?? '')), 'wu-dismiss-admin-notice')) {
 			die('-1');
 		}
 
 		$dismissed = $this->get_dismissed_notices();
 
-		if ( ! in_array($_POST['notice_id'], $dismissed, true)) {
-			$dismissed[] = $_POST['notice_id'];
+		if ( isset($_POST['notice_id']) && ! in_array($_POST['notice_id'], $dismissed, true)) {
+			$dismissed[] = sanitize_text_field(wp_unslash($_POST['notice_id']));
 
 			update_user_meta(get_current_user_id(), 'wu_dismissed_admin_notices', $dismissed);
 
diff --git a/inc/managers/class-event-manager.php b/inc/managers/class-event-manager.php
index 1916850..3a01ce9 100644
--- a/inc/managers/class-event-manager.php
+++ b/inc/managers/class-event-manager.php
@@ -507,15 +507,15 @@ class Event_Manager extends Base_Manager {
 	 *
 	 * @param array $data Data.
 	 * @param mixed $obj Object.
-	 * @param bool  $new New.
+	 * @param bool  $new_model New.
 	 *
 	 * @since 2.1.4
 	 */
-	public function dispatch_base_model_event(array $data, $obj, bool $new): void {
+	public function dispatch_base_model_event(array $data, $obj, bool $new_model): void {
 
 		$model = $obj->model;
 
-		$type = $new ? 'created' : 'updated';
+		$type = $new_model ? 'created' : 'updated';
 
 		$registered_model = wu_get_isset($this->models_events, $model);
 
diff --git a/inc/managers/class-form-manager.php b/inc/managers/class-form-manager.php
index 547f06b..400cca7 100644
--- a/inc/managers/class-form-manager.php
+++ b/inc/managers/class-form-manager.php
@@ -79,7 +79,7 @@ class Form_Manager extends Base_Manager {
         </div>
       </div>
     ',
-			$message
+			esc_html($message)
 		);
 
 		do_action('wu_form_scripts', false);
@@ -101,12 +101,14 @@ class Form_Manager extends Base_Manager {
 
 		printf(
 			"<form class='wu_form wu-styling' id='%s' action='%s' method='post'>",
-			$form['id'],
-			$this->get_form_url(
-				$form['id'],
-				[
-					'action' => 'wu_form_handler',
-				]
+			esc_attr($form['id']),
+			esc_attr(
+				$this->get_form_url(
+					$form['id'],
+					[
+						'action' => 'wu_form_handler',
+					]
+				)
 			)
 		);
 
@@ -117,8 +119,8 @@ class Form_Manager extends Base_Manager {
 				<li class="wu-m-0 wu-p-0" v-for="error in errors">{{ error.message }}</li>
 			</ul>
 		</div>',
-			$form['id'] . '_errors',
-			htmlspecialchars(json_encode(['errors' => []]))
+			esc_attr($form['id'] . '_errors'),
+			esc_attr(wp_json_encode(['errors' => []]))
 		);
 
 		call_user_func($form['render']);
@@ -174,18 +176,18 @@ class Form_Manager extends Base_Manager {
 		/*
 		 * We only want ajax requests.
 		 */
-		if ((empty($_SERVER['HTTP_X_REQUESTED_WITH']) || strtolower((string) $_SERVER['HTTP_X_REQUESTED_WITH']) !== 'xmlhttprequest')) {
+		if ((empty($_SERVER['HTTP_X_REQUESTED_WITH']) || strtolower(sanitize_key(wp_unslash($_SERVER['HTTP_X_REQUESTED_WITH']))) !== 'xmlhttprequest')) {
 			wp_die(0);
 		}
 
 		$form = $this->get_form(wu_request('form'));
 
 		if ( ! $form) {
-			return $this->display_form_unavailable();
+			$this->display_form_unavailable();
 		}
 
 		if ( ! current_user_can($form['capability'])) {
-			return $this->display_form_unavailable();
+			$this->display_form_unavailable();
 		}
 	}
 
@@ -343,8 +345,7 @@ class Form_Manager extends Base_Manager {
 
 			try {
 				$object = call_user_func("wu_get_{$model}", $id);
-			} catch (\Throwable $exception) {
-
+			} catch (\Throwable $exception) { // phpcs:ignore Generic.CodeAnalysis.EmptyStatement
 				// No need to do anything, but cool to stop fatal errors.
 			}
 
@@ -382,7 +383,7 @@ class Form_Manager extends Base_Manager {
 						'type'  => 'hidden',
 						'value' => $object->get_id(),
 					],
-					'meta_key'      => [
+					'meta_key'      => [ // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_key
 						'type'  => 'hidden',
 						'value' => $meta_key,
 					],
@@ -407,7 +408,7 @@ class Form_Manager extends Base_Manager {
 					'field_wrapper_classes' => 'wu-w-full wu-box-border wu-items-center wu-flex wu-justify-between wu-p-4 wu-m-0 wu-border-t wu-border-l-0 wu-border-r-0 wu-border-b-0 wu-border-gray-300 wu-border-solid',
 					'html_attr'             => [
 						'data-wu-app' => 'true',
-						'data-state'  => json_encode(
+						'data-state'  => wp_json_encode(
 							[
 								'confirmed' => false,
 							]
@@ -462,7 +463,7 @@ class Form_Manager extends Base_Manager {
 
 			try {
 				$object = call_user_func("wu_get_{$model}", $id);
-			} catch (\Throwable $exception) {
+			} catch (\Throwable $exception) { // phpcs:ignore Generic.CodeAnalysis.EmptyStatement
 
 				// No need to do anything, but cool to stop fatal errors.
 			}
@@ -556,7 +557,7 @@ class Form_Manager extends Base_Manager {
 				'field_wrapper_classes' => 'wu-w-full wu-box-border wu-items-center wu-flex wu-justify-between wu-p-4 wu-m-0 wu-border-t wu-border-l-0 wu-border-r-0 wu-border-b-0 wu-border-gray-300 wu-border-solid',
 				'html_attr'             => [
 					'data-wu-app' => 'true',
-					'data-state'  => json_encode(
+					'data-state'  => wp_json_encode(
 						[
 							'confirmed' => false,
 						]
diff --git a/inc/managers/class-gateway-manager.php b/inc/managers/class-gateway-manager.php
index fe7031b..58803ff 100644
--- a/inc/managers/class-gateway-manager.php
+++ b/inc/managers/class-gateway-manager.php
@@ -79,6 +79,7 @@ class Gateway_Manager extends Base_Manager {
 		 * Adds our own default gateways.
 		 */
 		add_action('wu_register_gateways', [$this, 'add_default_gateways'], 5);
+
 		/*
 		 * Allow developers to add new gateways.
 		 */
@@ -277,11 +278,11 @@ class Gateway_Manager extends Base_Manager {
 		$gateway = wu_get_gateway($gateway_id);
 
 		if ( ! $gateway) {
-			$error = new \WP_Error('missing_gateway', __('Missing gateway parameter.', 'wp-ultimo'));
+			$error = new \WP_Error('missing_gateway', esc_html__('Missing gateway parameter.', 'wp-ultimo'));
 
 			wp_die(
 				$error,
-				__('Error', 'wp-ultimo'),
+				esc_html__('Error', 'wp-ultimo'),
 				[
 					'back_link' => true,
 					'response'  => '200',
@@ -482,7 +483,6 @@ class Gateway_Manager extends Base_Manager {
 			'desc'       => $desc,
 			'class_name' => $class_name,
 			'active'     => in_array($id, $active_gateways, true),
-			'active'     => in_array($id, $active_gateways, true),
 			'hidden'     => (bool) $hidden,
 			'gateway'    => $class_name, // Deprecated.
 		];
diff --git a/inc/ui/class-base-element.php b/inc/ui/class-base-element.php
index 68b3ed4..8799ef7 100644
--- a/inc/ui/class-base-element.php
+++ b/inc/ui/class-base-element.php
@@ -893,6 +893,7 @@ abstract class Base_Element {
 		}
 
 		$this->save_widget_settings($settings);
+		$referer = isset($_SERVER['HTTP_REFERER']) ? sanitize_url(wp_unslash($_SERVER['HTTP_REFERER'])) : '';
 
 		wp_send_json_success(
 			[
@@ -901,7 +902,7 @@ abstract class Base_Element {
 					'function_name' => 'wu_block_ui',
 					'data'          => '#wpcontent',
 				],
-				'redirect_url' => add_query_arg('updated', 1, $_SERVER['HTTP_REFERER']),
+				'redirect_url' => add_query_arg('updated', 1, $referer),
 			]
 		);
 	}
@@ -1048,7 +1049,7 @@ abstract class Base_Element {
 	public function as_inline_content($screen_id, $hook = 'admin_notices', $atts = []): void {
 
 		if ( ! function_exists('get_current_screen')) {
-			_doing_it_wrong(__METHOD__, __('An element can not be loaded as inline content unless the get_current_screen() function is already available.', 'wp-ultimo'), '2.0.0');
+			_doing_it_wrong(__METHOD__, esc_html__('An element can not be loaded as inline content unless the get_current_screen() function is already available.', 'wp-ultimo'), '2.0.0');
 
 			return;
 		}
@@ -1089,7 +1090,7 @@ abstract class Base_Element {
 
 				echo '<div class="wu-inline-widget">';
 
-				echo '<div class="wu-inline-widget-body ' . $control_classes . '">';
+				echo '<div class="wu-inline-widget-body ' . esc_attr($control_classes) . '">';
 
 					echo $this->display($atts);