diff --git a/uc_bulk_stock_updater.inc b/uc_bulk_stock_updater.inc
index 3fa766a..fa33a26 100644
--- a/uc_bulk_stock_updater.inc
+++ b/uc_bulk_stock_updater.inc
@@ -23,6 +23,8 @@ function uc_bulk_stock_updater_stock_update() {
   
   drupal_add_js(drupal_get_path('module', 'uc_bulk_stock_updater') . '/uc_bulk_stock_updater.js');
   
+  drupal_add_js(array('uc_bsu_token' => drupal_get_token('ucbsu')), 'setting');
+
   $viewing_all_records = !is_null($_GET['nopage']); 
   $page_size = ($viewing_all_records ? UC_REPORTS_MAX_RECORDS : variable_get('uc_reports_table_size', 30));
   $rows = array();
@@ -162,7 +164,7 @@ function uc_bulk_stock_updater_stock_update_ajax() {
   // validate and sanitize
   $value = BulkStockUpdater::sanitize_field($name, $value);
   
-  if (FALSE === $sku || FALSE === $value) {
+  if (FALSE === $sku || FALSE === $value || $_POST['uc_bsu_token'] != drupal_get_token('ucbsu')) {
   	$err = t('Invalid parameters supplied');
   } 
   else {
diff --git a/uc_bulk_stock_updater.js b/uc_bulk_stock_updater.js
index cb3ee0d..19cf559 100644
--- a/uc_bulk_stock_updater.js
+++ b/uc_bulk_stock_updater.js
@@ -90,7 +90,7 @@ function uc_bulk_stock_updater_submitValue(inputElem)
 		url : Drupal.settings.uc_bulk_stock_updater.ajax_url,
 		type: 'POST',
 		timeout : 3000,
-		data : { sku: _sku, name: _name, value: _value },
+		data : { sku: _sku, name: _name, value: _value, uc_bsu_token: Drupal.settings.uc_bsu_token },
 		dataType : "json",
 	    error : function(_XMLHttpRequest, _textStatus, _errorThrown)
 	    {