diff --git a/polldaddy.php b/polldaddy.php
index 617c8bf..13604db 100644
--- a/polldaddy.php
+++ b/polldaddy.php
@@ -3622,6 +3622,7 @@ function rating_settings() {
 			                <input type="hidden" name="type" value="<?php echo $report_type; ?>" />
 							<input type="hidden" name="rating_id" value="<?php echo $rating_id; ?>" />
 							<input type="hidden" name="action" value="update-rating" />
+							<?php wp_nonce_field( 'action-update-rating_' . $report_type ); ?>
 			            </div>
 			        </div>
 			    </div>
@@ -4051,6 +4052,8 @@ function update_rating() {
 		$type = 'post';
 		$set = new stdClass;
 
+		check_admin_referer( 'action-update-rating_' . $_POST[ 'type' ] );
+
 		if ( isset( $_REQUEST['rating_id'] ) )
 			$rating_id = (int) $_REQUEST['rating_id'];