diff --git a/lib/plugins/extension/action.php b/lib/plugins/extension/action.php
index 3bb0448257..b57fe558ef 100644
--- a/lib/plugins/extension/action.php
+++ b/lib/plugins/extension/action.php
@@ -57,8 +57,13 @@ public function info(Doku_Event $event, $param)
         switch ($act) {
             case 'enable':
             case 'disable':
-                $extension->$act(); //enables/disables
+                if(getSecurityToken() != $INPUT->str('sectok')) {
+                    http_status(403);
+                    echo 'Security Token did not match. Possible CSRF attack.';
+                    return;
+                }
 
+                $extension->$act(); //enables/disables
                 $reverse = ($act == 'disable') ? 'enable' : 'disable';
 
                 $return = array(
diff --git a/lib/plugins/extension/script.js b/lib/plugins/extension/script.js
index 7c915808ee..7742b1583f 100644
--- a/lib/plugins/extension/script.js
+++ b/lib/plugins/extension/script.js
@@ -64,8 +64,9 @@ jQuery(function(){
             DOKU_BASE + 'lib/exe/ajax.php',
             {
                 call: 'plugin_extension',
-                ext:  extension,
-                act:  act
+                ext: extension,
+                act: act,
+                sectok: $btn.parents('form').find('input[name=sectok]').val()
             },
             function (data) {
                 $btn.css('cursor', '')
@@ -74,12 +75,15 @@ jQuery(function(){
                     .removeClass('enable')
                     .text(data.label)
                     .addClass(data.reverse)
-                .parents('li')
+                    .parents('li')
                     .removeClass('disabled')
                     .removeClass('enabled')
                     .addClass(data.state);
             }
-        );
+        ).fail(function() {
+            $btn.css('cursor', '')
+                .removeAttr('disabled');
+        });
     });
 
     /**