diff --git a/classes/Pods.php b/classes/Pods.php
index 8afaf099a0..ab1866a8c0 100644
--- a/classes/Pods.php
+++ b/classes/Pods.php
@@ -4051,6 +4051,15 @@ public function form( $params = null, $label = null, $thank_you = null ) {
 		$fields_only = $params['fields_only'];
 		$output_type = $params['output_type'];
 
+		// Sanitize thank_you for security.
+		if ( ! empty( $thank_you ) ) {
+			// Additional sanitization.
+			$thank_you = sanitize_text_field( $thank_you );
+
+			// Fallback to '' so that the logic below can kick in if the thank you URL was not safe.
+			$thank_you = pods_enforce_safe_url( $thank_you, '' );
+		}
+
 		if ( empty( $output_type ) ) {
 			$output_type = 'div';
 		}
diff --git a/includes/data.php b/includes/data.php
index cc828a2fa1..b2fe659653 100644
--- a/includes/data.php
+++ b/includes/data.php
@@ -2998,3 +2998,23 @@ function pods_objects_keyed_by_name( $objects ) {
 
 	return $new_list;
 }
+
+/**
+ * Enforce a URL as safe and fallback to another URL if it is not safe.
+ *
+ * @since 3.1.4.1
+ *
+ * @param string      $url          The URL to enforce as safe.
+ * @param string|null $fallback_url The fallback URL to use if the URL is not valid.
+ *
+ * @return string The safe URL or the fallback URL if that was not valid.
+ */
+function pods_enforce_safe_url( string $url, ?string $fallback_url = null ) {
+	$url = wp_sanitize_redirect( $url );
+
+	if ( null === $fallback_url ) {
+		$fallback_url = pods_current_url();
+	}
+
+	return wp_validate_redirect( $url, $fallback_url );
+}
diff --git a/init.php b/init.php
index c8cecfa249..653259b4a8 100644
--- a/init.php
+++ b/init.php
@@ -10,7 +10,7 @@
  * Plugin Name:       Pods - Custom Content Types and Fields
  * Plugin URI:        https://pods.io/
  * Description:       Pods is a framework for creating, managing, and deploying customized content types and fields
- * Version:           3.1.4
+ * Version:           3.1.4.1
  * Author:            Pods Framework Team
  * Author URI:        https://pods.io/about/
  * Text Domain:       pods
@@ -43,7 +43,7 @@
 	add_action( 'init', 'pods_deactivate_pods_ui' );
 } else {
 	// Current version.
-	define( 'PODS_VERSION', '3.1.4' );
+	define( 'PODS_VERSION', '3.1.4.1' );
 
 	// Current database version, this is the last version the database changed.
 	define( 'PODS_DB_VERSION', '2.3.5' );
diff --git a/package.json b/package.json
index 433ad7ab5c..3b39d71976 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "pods",
-  "version": "3.1.4",
+  "version": "3.1.4.1",
   "description": "Pods is a development framework for creating, extending, managing, and deploying customized content types in WordPress.",
   "author": "Pods Foundation, Inc",
   "homepage": "https://pods.io/",
diff --git a/readme.txt b/readme.txt
index f496666947..70daf1f6f0 100644
--- a/readme.txt
+++ b/readme.txt
@@ -5,7 +5,7 @@ Tags: pods, custom post types, custom taxonomies, content types, custom fields
 Requires at least: 6.0
 Tested up to: 6.5
 Requires PHP: 7.2
-Stable tag: 3.1.4
+Stable tag: 3.1.4.1
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -181,6 +181,12 @@ Pods really wouldn't be where it is without all the contributions from our [dono
 
 == Changelog ==
 
+= 3.1.4.1 - May 8th, 2024 =
+
+*Security Release*
+
+* Security hardening: Enforce safe URLs for Pods form submission confirmation page URLs. Props to the wesley (wcraft) / Wordfence for responsibly reporting this. (@sc0ttkclark) 
+
 = 3.1.4 - February 28th, 2024 =
 
 * Fixed: Defaults now show correctly for checkbox groups in the Edit Field modals. (@sc0ttkclark)
diff --git a/src/Pods/Blocks/API.php b/src/Pods/Blocks/API.php
index fec956bca6..7eb484ed38 100644
--- a/src/Pods/Blocks/API.php
+++ b/src/Pods/Blocks/API.php
@@ -144,6 +144,11 @@ public function register_assets() {
 		 */
 		$blocks_config = (array) apply_filters( 'pods_blocks_api_config', $blocks_config );
 
+		// Sanitize callbackUrl for security.
+		foreach ( $blocks_config['commands'] as $key => $command ) {
+			$blocks_config['commands'][ $key ]['callbackUrl'] = pods_enforce_safe_url( (string) $command['callbackUrl'] );
+		}
+
 		wp_localize_script( 'pods-blocks-api', 'podsBlocksConfig', $blocks_config );
 
 		wp_enqueue_style( 'pods-styles' );
diff --git a/ui/front/form.php b/ui/front/form.php
index 8c7ccbaf7e..e96bd1cc1c 100644
--- a/ui/front/form.php
+++ b/ui/front/form.php
@@ -102,7 +102,7 @@
 	action=""
 	method="post"
 	class="pods-submittable pods-form pods-form-front pods-form-pod-<?php echo esc_attr( $pod_name ); ?> pods-submittable-ajax"
-	data-location="<?php echo esc_attr( $thank_you ); ?>"
+	data-location="<?php echo esc_attr( pods_enforce_safe_url( $thank_you ) ); ?>"
 	id="pods-form-<?php echo esc_attr( $pod_name . '-' . $counter ); ?>"
 	data-pods-pod-name="<?php echo esc_attr( $pod_name ); ?>"
 	data-pods-item-id="<?php echo esc_attr( $id ); ?>"