diff --git a/src/wp-admin/includes/ajax-actions.php b/src/wp-admin/includes/ajax-actions.php
index b75033c5d6..d96220824f 100644
--- a/src/wp-admin/includes/ajax-actions.php
+++ b/src/wp-admin/includes/ajax-actions.php
@@ -2835,6 +2835,10 @@ function wp_ajax_destroy_sessions() {
  * @since 4.2.0
  */
 function wp_ajax_install_plugin() {
+	if ( ! current_user_can( 'install_plugins' ) ) {
+		wp_die( __('You do not have sufficient permissions to install plugins on this site.') );
+	}
+
 	check_ajax_referer( 'updates' );
 
 	include_once( ABSPATH . 'wp-admin/includes/class-wp-upgrader.php' );
@@ -2875,6 +2879,10 @@ function wp_ajax_install_plugin() {
  * @since 4.2.0
  */
 function wp_ajax_update_plugin() {
+	if ( ! current_user_can( 'update_plugins' ) ) {
+		wp_die( __('You do not have sufficient permissions to install plugins on this site.') );
+	}
+
 	check_ajax_referer( 'updates' );
 
 	include_once( ABSPATH . 'wp-admin/includes/class-wp-upgrader.php' );