diff --git a/main/admin/settings.lib.php b/main/admin/settings.lib.php
index db821c830c..b7fedfa9c8 100755
--- a/main/admin/settings.lib.php
+++ b/main/admin/settings.lib.php
@@ -111,7 +111,7 @@ function handle_extensions()
 function handle_plugins()
 {
     $plugin_obj = new AppPlugin();
-
+    $token = Security::get_token();
      if (isset($_POST['submit_plugins'])) {
         store_plugins();
         // Add event to the system log.
@@ -126,7 +126,7 @@ function handle_plugins()
 
     //Plugins NOT installed
     echo Display::page_subheader(get_lang('Plugins'));
-    echo '<form class="form-horizontal" name="plugins" method="post" action="'.api_get_self().'?category='.Security::remove_XSS($_GET['category']).'">';
+    echo '<form class="form-horizontal" name="plugins" method="post" action="'.api_get_self().'?category='.Security::remove_XSS($_GET['category']).'&sec_token=' . $token . '">';
     echo '<table class="data_table">';
     echo '<tr>';
     echo '<th width="20px">';
diff --git a/main/admin/settings.php b/main/admin/settings.php
index 1d35d79f94..94601c5ac7 100755
--- a/main/admin/settings.php
+++ b/main/admin/settings.php
@@ -443,7 +443,9 @@ if (!empty($_GET['category'])) {
         case 'Plugins':
             // Displaying the extensions: Plugins.
             // This will be available to all the sites (access_urls).
-            if (isset($_POST['submit_dashboard_plugins'])) {
+            $securityToken = Security::remove_XSS($_GET['sec_token']);
+            if (isset($_POST['submit_dashboard_plugins']) && Security::check_token($securityToken)) {
+                Security::clear_token();
                 $affected_rows = DashboardManager::store_dashboard_plugins($_POST);
                 if ($affected_rows) {
                     // add event to system log