diff --git a/wp-admin/post.php b/wp-admin/post.php
index 9a5748d35a..0f4187e9ce 100644
--- a/wp-admin/post.php
+++ b/wp-admin/post.php
@@ -87,6 +87,8 @@ case 'edit':
 	break;
 
 case 'editattachment':
+	check_admin_referer();
+
 	$post_id = (int) $_POST['post_ID'];
 
 	// Don't let these be changed