diff --git a/includes/admin/core/class-admin-upgrade.php b/includes/admin/core/class-admin-upgrade.php
index e6d0c39c..0c56bee0 100644
--- a/includes/admin/core/class-admin-upgrade.php
+++ b/includes/admin/core/class-admin-upgrade.php
@@ -67,7 +67,7 @@ if ( ! class_exists( 'um\admin\core\Admin_Upgrade' ) ) {
 			if ( ! empty( $this->necessary_packages ) ) {
 				add_action( 'admin_menu', array( $this, 'admin_menu' ), 0 );
 
-				if ( defined( 'DOING_AJAX' ) && DOING_AJAX ) {
+				if ( defined( 'DOING_AJAX' ) && DOING_AJAX && current_user_can( 'manage_options' ) ) {
 					$this->init_packages_ajax();
 
 					add_action( 'wp_ajax_um_run_package', array( $this, 'ajax_run_package' ) );
diff --git a/templates/members.php b/templates/members.php
index e1dc9adf..cf10f6c3 100644
--- a/templates/members.php
+++ b/templates/members.php
@@ -45,7 +45,7 @@ if ( count( $args['view_types'] ) == 1 ) {
 } else {
 	$args['default_view'] = ! empty( $args['default_view'] ) ? $args['default_view'] : $args['view_types'][0];
 	$default_view = $args['default_view'];
-	$current_view = ( ! empty( $_GET[ 'view_type_' . $unique_hash ] ) && in_array( $_GET[ 'view_type_' . $unique_hash ], $args['view_types'] ) ) ? $_GET[ 'view_type_' . $unique_hash ] : $args['default_view'];
+	$current_view = ( ! empty( $_GET[ 'view_type_' . $unique_hash ] ) && in_array( $_GET[ 'view_type_' . $unique_hash ], $args['view_types'] ) ) ? sanitize_text_field( $_GET[ 'view_type_' . $unique_hash ] ) : $args['default_view'];
 }
 
 // Sorting