Index: src/wp-admin/admin-post.php
===================================================================
--- src/wp-admin/admin-post.php	(revision 34092)
+++ src/wp-admin/admin-post.php	(working copy)
@@ -28,7 +28,7 @@
 /** This action is documented in wp-admin/admin.php */
 do_action( 'admin_init' );
 
-$action = wp_validate_action();
+$action = wp_raw_request_value( 'action' );
 
 if ( ! wp_validate_auth_cookie() ) {
 	if ( empty( $action ) ) {
Index: src/wp-admin/admin.php
===================================================================
--- src/wp-admin/admin.php	(revision 34092)
+++ src/wp-admin/admin.php	(working copy)
@@ -358,8 +358,8 @@
 	}
 }
 
-$_action = wp_validate_action();
-if ( ! empty( $_action ) ) {
+$_action = wp_raw_request_value( 'action' );
+if ( $_action ) {
 	/**
 	 * Fires when an 'action' request variable is sent.
 	 *
Index: src/wp-admin/async-upload.php
===================================================================
--- src/wp-admin/async-upload.php	(revision 34092)
+++ src/wp-admin/async-upload.php	(working copy)
@@ -6,7 +6,7 @@
  * @subpackage Administration
  */
 
-// `wp_validate_action()` isn't loaded yet
+// `wp_raw_request_value()` isn't loaded yet
 if ( isset( $_REQUEST['action'] ) && 'upload-attachment' === $_REQUEST['action'] ) {
 	define( 'DOING_AJAX', true );
 }
@@ -20,7 +20,7 @@
 else
 	require_once( dirname( dirname( __FILE__ ) ) . '/wp-load.php' );
 
-if ( ! wp_validate_action( 'upload-attachment' ) ) {
+if ( ! wp_raw_request_value( 'action', 'upload-attachment' ) ) {
 	// Flash often fails to send cookies with the POST or upload, so we need to pass it in GET or POST instead
 	if ( is_ssl() && empty($_COOKIE[SECURE_AUTH_COOKIE]) && !empty($_REQUEST['auth_cookie']) )
 		$_COOKIE[SECURE_AUTH_COOKIE] = $_REQUEST['auth_cookie'];
@@ -35,7 +35,7 @@
 
 header( 'Content-Type: text/html; charset=' . get_option( 'blog_charset' ) );
 
-if ( wp_validate_action( 'upload-attachment' ) ) {
+if ( wp_raw_request_value( 'action', 'upload-attachment' ) ) {
 	include( ABSPATH . 'wp-admin/includes/ajax-actions.php' );
 
 	send_nosniff_header();
Index: src/wp-admin/includes/class-wp-list-table.php
===================================================================
--- src/wp-admin/includes/class-wp-list-table.php	(revision 34092)
+++ src/wp-admin/includes/class-wp-list-table.php	(working copy)
@@ -427,9 +427,9 @@
 			 */
 			$this->_actions = apply_filters( "bulk_actions-{$this->screen->id}", $this->_actions );
 			$this->_actions = array_intersect_assoc( $this->_actions, $no_new_actions );
-			$two = '';
+			$two = '';		// 'action', 'doaction'
 		} else {
-			$two = '2';
+			$two = '2';		// 'action2', 'doaction2'
 		}
 
 		if ( empty( $this->_actions ) )
Index: src/wp-admin/includes/class-wp-terms-list-table.php
===================================================================
--- src/wp-admin/includes/class-wp-terms-list-table.php	(revision 34092)
+++ src/wp-admin/includes/class-wp-terms-list-table.php	(working copy)
@@ -153,10 +153,11 @@
 	 * @return string
 	 */
 	public function current_action() {
-		$action = wp_validate_action();
-		if ( $action && isset( $_REQUEST['delete_tags'] ) && ( 'delete' == $action || 'delete' == $_REQUEST['action2'] ) )
+		$action = wp_raw_request_value( 'action' );
+		$action2 = wp_raw_request_value( 'action2' );
+		if ( is_string( $action ) && isset( $_REQUEST['delete_tags'] ) && ( 'delete' == $action || 'delete' == $action2 ) ) {
 			return 'bulk-delete';
-
+		}
 		return parent::current_action();
 	}
 
Index: src/wp-admin/network/site-info.php
===================================================================
--- src/wp-admin/network/site-info.php	(revision 34092)
+++ src/wp-admin/network/site-info.php	(working copy)
@@ -53,7 +53,7 @@
 $parsed_scheme = parse_url( $details->siteurl, PHP_URL_SCHEME );
 $is_main_site = is_main_site( $id );
 
-if ( wp_validate_action( 'update-site' ) ) {
+if ( wp_raw_request_value( 'action', 'update-site' ) ) {
 	check_admin_referer( 'edit-site' );
 
 	switch_to_blog( $id );
Index: src/wp-admin/network/site-new.php
===================================================================
--- src/wp-admin/network/site-new.php	(revision 34092)
+++ src/wp-admin/network/site-new.php	(working copy)
@@ -33,7 +33,7 @@
 	'<p>' . __('<a href="https://wordpress.org/support/forum/multisite/" target="_blank">Support Forums</a>') . '</p>'
 );
 
-if ( wp_validate_action( 'add-site' ) ) {
+if ( wp_raw_request_value( 'action', 'add-site' ) ) {
 	check_admin_referer( 'add-blog', '_wpnonce_add-blog' );
 
 	if ( ! is_array( $_POST['blog'] ) )
Index: src/wp-admin/network/site-settings.php
===================================================================
--- src/wp-admin/network/site-settings.php	(revision 34092)
+++ src/wp-admin/network/site-settings.php	(working copy)
@@ -48,7 +48,7 @@
 
 $is_main_site = is_main_site( $id );
 
-if ( wp_validate_action( 'update-site' ) && is_array( $_POST['option'] ) ) {
+if ( wp_raw_request_value( 'action', 'update-site' ) && is_array( $_POST['option'] ) ) {
 	check_admin_referer( 'edit-site' );
 
 	switch_to_blog( $id );
Index: src/wp-admin/network/user-new.php
===================================================================
--- src/wp-admin/network/user-new.php	(revision 34092)
+++ src/wp-admin/network/user-new.php	(working copy)
@@ -30,7 +30,7 @@
 	'<p>' . __('<a href="https://wordpress.org/support/forum/multisite/" target="_blank">Support Forums</a>') . '</p>'
 );
 
-if ( wp_validate_action( 'add-user' ) ) {
+if ( wp_raw_request_value( 'action', 'add-user' ) ) {
 	check_admin_referer( 'add-user', '_wpnonce_add-user' );
 
 	if ( ! current_user_can( 'manage_network_users' ) )
Index: src/wp-admin/network/users.php
===================================================================
--- src/wp-admin/network/users.php	(revision 34092)
+++ src/wp-admin/network/users.php	(working copy)
@@ -174,12 +174,12 @@
 
 require_once( ABSPATH . 'wp-admin/admin-header.php' );
 
-$action = wp_validate_action();
-if ( isset( $_REQUEST['updated'] ) && $_REQUEST['updated'] == 'true' && ! empty( $action ) ) {
+$_action = wp_raw_request_value( 'action' );
+if ( wp_raw_request_value( 'updated', 'true' ) && $_action ) {
 	?>
 	<div id="message" class="updated notice is-dismissible"><p>
 		<?php
-		switch ( $action ) {
+		switch ( $_action ) {
 			case 'delete':
 				_e( 'User deleted.' );
 			break;
@@ -200,6 +200,7 @@
 	</p></div>
 	<?php
 }
+unset( $_action );
 	?>
 <div class="wrap">
 	<h1><?php esc_html_e( 'Users' );
Index: src/wp-admin/update.php
===================================================================
--- src/wp-admin/update.php	(revision 34092)
+++ src/wp-admin/update.php	(working copy)
@@ -17,7 +17,7 @@
 if ( isset($_GET['action']) ) {
 	$plugin = isset($_REQUEST['plugin']) ? trim($_REQUEST['plugin']) : '';
 	$theme = isset($_REQUEST['theme']) ? urldecode($_REQUEST['theme']) : '';
-	$action = wp_validate_action();
+	$action = wp_raw_request_value( 'action' );
 
 	if ( 'update-selected' == $action ) {
 		if ( ! current_user_can( 'update_plugins' ) )
Index: src/wp-admin/user-new.php
===================================================================
--- src/wp-admin/user-new.php	(revision 34092)
+++ src/wp-admin/user-new.php	(working copy)
@@ -29,7 +29,7 @@
 	add_filter( 'wpmu_signup_user_notification_email', 'admin_created_user_email' );
 }
 
-if ( wp_validate_action( 'adduser' ) ) {
+if ( wp_raw_request_value( 'action', 'adduser' ) ) {
 	check_admin_referer( 'add-user', '_wpnonce_add-user' );
 
 	$user_details = null;
@@ -101,7 +101,7 @@
 	}
 	wp_redirect( $redirect );
 	die();
-} elseif ( wp_validate_action( 'createuser' ) ) {
+} elseif ( wp_raw_request_value( 'action', 'createuser' ) ) {
 	check_admin_referer( 'create-user', '_wpnonce_create-user' );
 
 	if ( ! current_user_can( 'create_users' ) ) {
Index: src/wp-includes/functions.php
===================================================================
--- src/wp-includes/functions.php	(revision 34092)
+++ src/wp-includes/functions.php	(working copy)
@@ -4982,24 +4982,25 @@
 }
 
 /**
- * Retrieve and, optionally, validate, an `action` query var
+ * Retrieve and, optionally, validate, a single $_REQUEST string value.
  *
  * @since 4.4.0
  *
- * @param string $action Optional. Action to validate.
- * @return string Empty string if there is no action in the request or it doesn't
- *                match the passed `$action`. Returns the [passed `$action` or
- *                request action on succcess.
+ * @param string $field
+ * @param string|null $value Value to validate. Default null for no validation.
+ * @return string|bool|null
+ *				Null if request value not set or not a string.
+ *				Bool if $value non-null.
+ *				String raw value otherwise.
  */
-function wp_validate_action( $action = '' ) {
-	$r = $_REQUEST;
-	if ( ! isset( $r['action'] ) ) {
-		return '';
+function wp_raw_request_value( $field, $value = null ) {
+	if ( is_string( $field ) && isset( $_REQUEST[ $field ] ) ) {
+		$raw = $_REQUEST[ $field ];
+		if ( is_string( $raw ) ) {
+			if ( $value !== null ) {
+				return $value === $raw;
+			}
+			return $raw;
+		}
 	}
-
-	if ( ! empty( $action ) ) {
-		return $action === $r['action'] ? $action : '';
-	}
-
-	return $r['action'];
-}
\ No newline at end of file
+}