diff --git wp-content/plugins/buddypress/bp-xprofile/classes/class-bp-xprofile-field.php wp-content/plugins/buddypress/bp-xprofile/classes/class-bp-xprofile-field.php
index 20eb7224b..593614797 100644
--- wp-content/plugins/buddypress/bp-xprofile/classes/class-bp-xprofile-field.php
+++ wp-content/plugins/buddypress/bp-xprofile/classes/class-bp-xprofile-field.php
@@ -570,12 +570,12 @@ class BP_XProfile_Field {
 	public function get_children( $for_editing = false ) {
 		global $wpdb;
 
-		// Sanitize 'order_by'.
-		$order_by = bp_esc_sql_order( $this->order_by );
-
 		// This is done here so we don't have problems with sql injection.
-		if ( empty( $for_editing ) ) {
+		if ( true === empty( $for_editing ) && 'custom' !== $this->order_by ) {
+			// Sanitize 'order_by'.
+			$order_by = bp_esc_sql_order( $this->order_by );
 			$sort_sql = "ORDER BY name {$order_by}";
+
 		} else {
 			$sort_sql = 'ORDER BY option_order ASC';
 		}