diff --git a/src/wp-admin/admin-post.php b/src/wp-admin/admin-post.php
index 803a00652c..c42a42230d 100644
--- a/src/wp-admin/admin-post.php
+++ b/src/wp-admin/admin-post.php
@@ -29,7 +29,7 @@ nocache_headers();
 /** This action is documented in wp-admin/admin.php */
 do_action( 'admin_init' );
 
-$action = empty( $_REQUEST['action'] ) ? '' : $_REQUEST['action'];
+$action = empty( wp_unslash( $_REQUEST['action'] ) ) ? '' : wp_unslash( $_REQUEST['action'] );
 
 if ( ! is_user_logged_in() ) {
 	if ( empty( $action ) ) {