diff --git a/custom/panel_templates/Default/core/widgets.tpl b/custom/panel_templates/Default/core/widgets.tpl
index 1e903dc808..910fc7e91a 100644
--- a/custom/panel_templates/Default/core/widgets.tpl
+++ b/custom/panel_templates/Default/core/widgets.tpl
@@ -49,10 +49,16 @@
                                 <div class="col-md-3">
                                     <div class="float-md-right">
                                         {if $widget.enabled}
-                                            <a href="{$widget.disable_link}" class="btn btn-danger">{$DISABLE}</a>
+                                            <form action="{$widget.disable_link}" method="post" style="display: inline">
+                                                <input type="hidden" name="token" value="{$TOKEN}" />
+                                                <input type="submit" class="btn btn-danger" value="{$DISABLE}">
+                                            </form>
                                             <a href="{$widget.settings_link}" class="btn btn-primary">{$EDIT}</a>
                                         {else}
-                                            <a href="{$widget.enable_link}" class="btn btn-success">{$ENABLE}</a>
+                                            <form action="{$widget.enable_link}" method="post" style="display: inline">
+                                                <input type="hidden" name="token" value="{$TOKEN}" />
+                                                <input type="submit" class="btn btn-success" value="{$ENABLE}">
+                                            </form>
                                         {/if}
                                     </div>
                                 </div>
diff --git a/modules/Core/pages/panel/widgets.php b/modules/Core/pages/panel/widgets.php
index 2c494eb83a..5b17088d39 100644
--- a/modules/Core/pages/panel/widgets.php
+++ b/modules/Core/pages/panel/widgets.php
@@ -66,27 +66,30 @@
         // Enable a widget
         if (!isset($_GET['w']) || !is_numeric($_GET['w'])) die('Invalid widget!');
 
-        // Get widget name
-        $name = $queries->getWhere('widgets', array('id', '=', $_GET['w']));
-
-        if (count($name)) {
-            $name = Output::getClean($name[0]->name);
-            $widget = $widgets->getWidget($name);
-
-            if (!is_null($widget)) {
-                $queries->update(
-                    'widgets',
-                    $_GET['w'],
-                    array(
-                        'enabled' => 1
-                    )
-                );
-
-                $widgets->enable($widget);
-
-                Session::flash('admin_widgets', $language->get('admin', 'widget_enabled'));
+        if (Token::check($_POST['token'])) {
+            // Get widget name
+            $name = $queries->getWhere('widgets', array('id', '=', $_GET['w']));
+
+            if (count($name)) {
+                $name = Output::getClean($name[0]->name);
+                $widget = $widgets->getWidget($name);
+
+                if (!is_null($widget)) {
+                    $queries->update(
+                        'widgets',
+                        $_GET['w'],
+                        array(
+                            'enabled' => 1
+                        )
+                    );
+
+                    $widgets->enable($widget);
+
+                    Session::flash('admin_widgets', $language->get('admin', 'widget_enabled'));
+                }
             }
-        }
+
+        } else Session::flash('admin_widgets_error', $language->get('general', 'invalid_token'));
 
         Redirect::to(URL::build('/panel/core/widgets'));
         die();
@@ -96,26 +99,29 @@
             die('Invalid widget!');
         }
 
-        // Get widget name
-        $name = $queries->getWhere('widgets', array('id', '=', $_GET['w']));
-        if (count($name)) {
-            $name = Output::getClean($name[0]->name);
-            $widget = $widgets->getWidget($name);
-
-            if (!is_null($widget)) {
-                $queries->update(
-                    'widgets',
-                    $_GET['w'],
-                    array(
-                        'enabled' => 0
-                    )
-                );
-
-                $widgets->disable($widget);
-
-                Session::flash('admin_widgets', $language->get('admin', 'widget_disabled'));
+        if (Token::check($_POST['token'])) {
+            // Get widget name
+            $name = $queries->getWhere('widgets', array('id', '=', $_GET['w']));
+            if (count($name)) {
+                $name = Output::getClean($name[0]->name);
+                $widget = $widgets->getWidget($name);
+
+                if (!is_null($widget)) {
+                    $queries->update(
+                        'widgets',
+                        $_GET['w'],
+                        array(
+                            'enabled' => 0
+                        )
+                    );
+
+                    $widgets->disable($widget);
+
+                    Session::flash('admin_widgets', $language->get('admin', 'widget_disabled'));
+                }
             }
-        }
+
+        } else Session::flash('admin_widgets_error', $language->get('general', 'invalid_token'));
 
         Redirect::to(URL::build('/panel/core/widgets'));
         die();
@@ -250,6 +256,10 @@
     $success = Session::flash('admin_widgets');
 }
 
+if (Session::exists('admin_widgets_error')) {
+    $errors = [Session::flash('admin_widgets_error')];
+}
+
 if (isset($success)) {
     $smarty->assign(
         array(