diff --git src/wp-admin/user-edit.php src/wp-admin/user-edit.php
index c5468cf937..6d6007a0f4 100644
--- src/wp-admin/user-edit.php
+++ src/wp-admin/user-edit.php
@@ -94,7 +94,12 @@ $user_can_edit = current_user_can( 'edit_posts' ) || current_user_can( 'edit_pag
  * @since 3.0.0
  *
  * @param bool $allow Whether to allow editing of any user. Default true.
+ * 
+ * @global wpdb $wpdb WordPress database abstraction object.
  */
+
+global $wpdb;
+
 if ( is_multisite()
 	&& ! current_user_can( 'manage_network_users' )
 	&& $user_id !== $current_user->ID
@@ -262,7 +267,7 @@ switch ( $action ) {
 				<?php endif; ?>
 				<p>
 					<input type="hidden" name="from" value="profile" />
-					<input type="hidden" name="checkuser_id" value="<?php echo get_current_user_id(); ?>" />
+					<input type="hidden" name="checkuser_id" value="<?php echo esc_attr( get_current_user_id() ); ?>" />
 				</p>
 
 				<h2><?php _e( 'Personal Options' ); ?></h2>
@@ -504,7 +509,7 @@ switch ( $action ) {
 
 								?>
 								<?php foreach ( $public_display as $id => $item ) : ?>
-									<option <?php selected( $profile_user->display_name, $item ); ?>><?php echo $item; ?></option>
+									<option <?php selected( $profile_user->display_name, $item ); ?>><?php echo esc_html( $item ); ?></option>
 								<?php endforeach; ?>
 							</select>
 						</td>
@@ -552,9 +557,9 @@ switch ( $action ) {
 					</tr>
 
 					<?php foreach ( wp_get_user_contact_methods( $profile_user ) as $name => $desc ) : ?>
-					<tr class="user-<?php echo $name; ?>-wrap">
+					<tr class="user-<?php echo esc_attr( $name ); ?>-wrap">
 						<th>
-							<label for="<?php echo $name; ?>">
+							<label for="<?php echo esc_attr( $name ); ?>">
 							<?php
 							/**
 							 * Filters a user contactmethod label.
diff --git src/wp-admin/users.php src/wp-admin/users.php
index 2c635c543a..977d8fd9d7 100644
--- src/wp-admin/users.php
+++ src/wp-admin/users.php
@@ -307,7 +307,10 @@ switch ( $wp_list_table->current_action() ) {
 		 *
 		 * @param bool  $users_have_additional_content Whether the users have additional content. Default false.
 		 * @param int[] $user_ids                      Array of IDs for users being deleted.
+		 * 
+		 * @global wpdb $wpdb WordPress database abstraction object.
 		 */
+		global $wpdb;
 		$users_have_content = (bool) apply_filters( 'users_have_additional_content', false, $user_ids );
 
 		if ( $user_ids && ! $users_have_content ) {
@@ -507,7 +510,7 @@ switch ( $wp_list_table->current_action() ) {
 		?>
 		<form method="post" name="updateusers" id="updateusers">
 		<?php wp_nonce_field( 'remove-users' ); ?>
-		<?php echo $referer; ?>
+		<?php echo esc_html( $referer ); ?>
 
 		<div class="wrap">
 		<h1><?php _e( 'Remove Users from Site' ); ?></h1>
@@ -679,7 +682,7 @@ switch ( $wp_list_table->current_action() ) {
 
 		if ( ! empty( $messages ) ) {
 			foreach ( $messages as $msg ) {
-				echo $msg;
+				echo esc_html( $msg );
 			}
 		}
 		?>