diff --git a/src/js/_enqueues/admin/custom-background.js b/src/js/_enqueues/admin/custom-background.js
index a08fb96c47..7f57d8a9b4 100644
--- a/src/js/_enqueues/admin/custom-background.js
+++ b/src/js/_enqueues/admin/custom-background.js
@@ -126,11 +126,13 @@
 			frame.on( 'select', function() {
 				// Grab the selected attachment.
 				var attachment = frame.state().get('selection').first();
+				var nonceValue = $( '#_wpnonce' ).val() || '';
 
 				// Run an Ajax request to set the background image.
 				$.post( ajaxurl, {
 					action: 'set-background-image',
 					attachment_id: attachment.id,
+					_ajax_nonce: nonceValue,
 					size: 'full'
 				}).done( function() {
 					// When the request completes, reload the window.
diff --git a/src/js/_enqueues/deprecated/media-gallery.js b/src/js/_enqueues/deprecated/media-gallery.js
index 7fe77a64ee..e96222c67a 100644
--- a/src/js/_enqueues/deprecated/media-gallery.js
+++ b/src/js/_enqueues/deprecated/media-gallery.js
@@ -11,7 +11,7 @@ jQuery(function($) {
 	 * Adds a click event handler to the element with a 'wp-gallery' class.
 	 */
 	$( 'body' ).bind( 'click.wp-gallery', function(e) {
-		var target = $( e.target ), id, img_size;
+		var target = $( e.target ), id, img_size, nonceValue;
 
 		if ( target.hasClass( 'wp-set-header' ) ) {
 			// Opens the image to preview it full size.
@@ -21,6 +21,7 @@ jQuery(function($) {
 			// Sets the image as background of the theme.
 			id = target.data( 'attachment-id' );
 			img_size = $( 'input[name="attachments[' + id + '][image-size]"]:checked').val();
+			nonceValue = $( '#_wpnonce' ).val() && '';
 
 			/**
 			 * This Ajax action has been deprecated since 3.5.0, see custom-background.php
@@ -28,6 +29,7 @@ jQuery(function($) {
 			jQuery.post(ajaxurl, {
 				action: 'set-background-image',
 				attachment_id: id,
+				_ajax_nonce: nonceValue,
 				size: img_size
 			}, function() {
 				var win = window.dialogArguments || opener || parent || top;
diff --git a/src/wp-admin/includes/class-custom-background.php b/src/wp-admin/includes/class-custom-background.php
index b62db4fb05..bc3c082bc3 100644
--- a/src/wp-admin/includes/class-custom-background.php
+++ b/src/wp-admin/includes/class-custom-background.php
@@ -581,6 +581,8 @@ class Custom_Background {
 	 * @deprecated 3.5.0
 	 */
 	public function wp_set_background_image() {
+		check_ajax_referer( 'custom-background' );
+
 		if ( ! current_user_can( 'edit_theme_options' ) || ! isset( $_POST['attachment_id'] ) ) {
 			exit;
 		}