diff --git a/wp-admin/user-edit.php b/wp-admin/user-edit.php
index 8ca1a9b02..d17e4bc95 100644
--- a/wp-admin/user-edit.php
+++ b/wp-admin/user-edit.php
@@ -32,6 +32,8 @@ break;
 
 case 'update':
 
+check_admin_referer();
+
 $errors = array();
 
 if (!current_user_can('edit_users'))