diff --git a/src/wp-admin/includes/ajax-actions.php b/src/wp-admin/includes/ajax-actions.php
index 4da1878051..253ba5113a 100644
--- a/src/wp-admin/includes/ajax-actions.php
+++ b/src/wp-admin/includes/ajax-actions.php
@@ -2752,14 +2752,14 @@ function wp_ajax_get_revision_diffs() {
 	require ABSPATH . 'wp-admin/includes/revision.php';
 
 	if ( ! $post = get_post( (int) $_REQUEST['post_id'] ) )
-		wp_send_json_error();
+		wp_send_json_error(111);
 
 	if ( ! current_user_can( 'read_post', $post->ID ) )
-		wp_send_json_error();
+		wp_send_json_error(222);
 
 	// Really just pre-loading the cache here.
 	if ( ! $revisions = wp_get_post_revisions( $post->ID, array( 'check_enabled' => false ) ) )
-		wp_send_json_error();
+		wp_send_json_error(333);
 
 	$return = array();
 	@set_time_limit( 0 );
@@ -3310,6 +3310,8 @@ function wp_ajax_save_wporg_username() {
 		wp_send_json_error();
 	}
 
+	check_ajax_referer( 'save_wporg_username_' . get_current_user_id() );
+
 	$username = isset( $_REQUEST['username'] ) ? wp_unslash( $_REQUEST['username'] ) : false;
 
 	if ( ! $username ) {
diff --git a/src/wp-admin/includes/class-wp-plugin-install-list-table.php b/src/wp-admin/includes/class-wp-plugin-install-list-table.php
index ba8445c1bd..1d0f6c9c20 100644
--- a/src/wp-admin/includes/class-wp-plugin-install-list-table.php
+++ b/src/wp-admin/includes/class-wp-plugin-install-list-table.php
@@ -170,8 +170,13 @@ class WP_Plugin_Install_List_Table extends WP_List_Table {
 				break;
 
 			case 'favorites':
-				$user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
-				update_user_meta( get_current_user_id(), 'wporg_favorites', $user );
+				$action = 'save_wporg_username_' . get_current_user_id();
+				if ( isset( $_GET['_wpnonce'] ) && wp_verify_nonce( wp_unslash( $_GET['_wpnonce'] ), $action ) ) {
+					$user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
+					update_user_meta( get_current_user_id(), 'wporg_favorites', $user );
+				} else {
+					$user = get_user_option( 'wporg_favorites' );
+				}
 				if ( $user )
 					$args['user'] = $user;
 				else
diff --git a/src/wp-admin/includes/plugin-install.php b/src/wp-admin/includes/plugin-install.php
index bb450e12ef..4a1375d753 100644
--- a/src/wp-admin/includes/plugin-install.php
+++ b/src/wp-admin/includes/plugin-install.php
@@ -300,7 +300,8 @@ function install_plugins_upload() {
  *
  */
 function install_plugins_favorites_form() {
-	$user = ! empty( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
+	$user   = get_user_option( 'wporg_favorites' );
+	$action = 'save_wporg_username_' . get_current_user_id();
 	?>
 	<p class="install-help"><?php _e( 'If you have marked plugins as favorites on WordPress.org, you can browse them here.' ); ?></p>
 	<form method="get">
@@ -309,6 +310,7 @@ function install_plugins_favorites_form() {
 			<label for="user"><?php _e( 'Your WordPress.org username:' ); ?></label>
 			<input type="search" id="user" name="user" value="<?php echo esc_attr( $user ); ?>" />
 			<input type="submit" class="button" value="<?php esc_attr_e( 'Get Favorites' ); ?>" />
+			<input type="hidden" id="wporg-username-nonce" name="_wpnonce" value="<?php echo esc_attr( wp_create_nonce( $action ) ); ?>" /> 
 		</p>
 	</form>
 	<?php
diff --git a/src/wp-admin/js/theme.js b/src/wp-admin/js/theme.js
index 1a91279bac..f151743955 100644
--- a/src/wp-admin/js/theme.js
+++ b/src/wp-admin/js/theme.js
@@ -1520,6 +1520,7 @@ themes.view.Installer = themes.view.Appearance.extend({
 	// Save the user's WordPress.org username and get his favorite themes.
 	saveUsername: function ( event ) {
 		var username = $( '#wporg-username-input' ).val(),
+			nonce = $( '#wporg-username-nonce' ).val(),
 			request = { browse: 'favorites', user: username },
 			that = this;
 
@@ -1534,6 +1535,7 @@ themes.view.Installer = themes.view.Appearance.extend({
 
 		return wp.ajax.send( 'save-wporg-username', {
 			data: {
+				_wpnonce: nonce,
 				username: username
 			},
 			success: function () {
diff --git a/src/wp-admin/theme-install.php b/src/wp-admin/theme-install.php
index 289f3954c3..b99a40f693 100644
--- a/src/wp-admin/theme-install.php
+++ b/src/wp-admin/theme-install.php
@@ -148,13 +148,19 @@ include(ABSPATH . 'wp-admin/admin-header.php');
 
 		<div class="favorites-form">
 			<?php
-			$user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
-			update_user_meta( get_current_user_id(), 'wporg_favorites', $user );
+			$action = 'save_wporg_username_' . get_current_user_id();
+			if ( isset( $_GET['_wpnonce'] ) && wp_verify_nonce( wp_unslash( $_GET['_wpnonce'] ), $action ) ) {
+				$user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
+				update_user_meta( get_current_user_id(), 'wporg_favorites', $user );
+			} else {
+				$user = get_user_option( 'wporg_favorites' );
+			}
 			?>
 			<p class="install-help"><?php _e( 'If you have marked themes as favorites on WordPress.org, you can browse them here.' ); ?></p>
 
 			<p>
 				<label for="user"><?php _e( 'Your WordPress.org username:' ); ?></label>
+				<input type="hidden" id="wporg-username-nonce" name="_wpnonce" value="<?php echo esc_attr( wp_create_nonce( $action ) ); ?>" />
 				<input type="search" id="wporg-username-input" value="<?php echo esc_attr( $user ); ?>" />
 				<input type="button" class="button button-secondary favorites-form-submit" value="<?php esc_attr_e( 'Get Favorites' ); ?>" />
 			</p>