diff --git a/assets/src/js/admin/paypal-commerce/index.js b/assets/src/js/admin/paypal-commerce/index.js
index c73a4f4a6f..3463b9bdfd 100644
--- a/assets/src/js/admin/paypal-commerce/index.js
+++ b/assets/src/js/admin/paypal-commerce/index.js
@@ -314,6 +314,7 @@ window.addEventListener('DOMContentLoaded', function () {
                     formData.append('action', 'give_paypal_commerce_disconnect_account');
                     formData.append('mode', button.getAttribute('data-mode'));
                     formData.append('keep-webhooks', Boolean(keepWebhooks));
+                    formData.append('_ajax_nonce', button.getAttribute('data-nonce'));
 
                     requestData.method = 'POST';
                     requestData.body = formData;
diff --git a/src/PaymentGateways/PayPalCommerce/AdminSettingFields.php b/src/PaymentGateways/PayPalCommerce/AdminSettingFields.php
index b7331c7406..6136c50edc 100644
--- a/src/PaymentGateways/PayPalCommerce/AdminSettingFields.php
+++ b/src/PaymentGateways/PayPalCommerce/AdminSettingFields.php
@@ -13,6 +13,7 @@
  * Class AdminSettingFields
  * @package Give\PaymentGateways\PayPalCommerce
  *
+ * @unreleased added nonce to disconnect button
  * @since 2.9.0
  */
 class AdminSettingFields
@@ -472,7 +473,9 @@ class="button-wrap disconnection-setting<?php echo ! $canShowAccountInformation
                                 <span class="actions">
                                     <button
                                         class="js-give-paypal-disconnect-paypal-account"
-                                        data-mode="<?php echo $paypalSetting->mode; ?>">
+                                        data-mode="<?php echo $paypalSetting->mode; ?>"
+                                        data-nonce="<?php echo esc_attr(wp_create_nonce('give_paypal_commerce_disconnect_account')); ?>"
+                                    >
                                         <?php esc_html_e('Disconnect', 'give'); ?>
                                     </button>
                                 </span>
diff --git a/src/PaymentGateways/PayPalCommerce/AjaxRequestHandler.php b/src/PaymentGateways/PayPalCommerce/AjaxRequestHandler.php
index eb872ec95c..b1291e3914 100644
--- a/src/PaymentGateways/PayPalCommerce/AjaxRequestHandler.php
+++ b/src/PaymentGateways/PayPalCommerce/AjaxRequestHandler.php
@@ -184,6 +184,7 @@ public function onGetPartnerUrlAjaxRequestHandler()
     /**
      * give_paypal_commerce_disconnect_account ajax request handler.
      *
+     * @unreleased added security nonce check
      * @since 3.13.0 Add new $keepWebhooks option
      * @since 2.30.0 Add support for mode param.
      * @since 2.25.0 Remove merchant seller token.
@@ -191,6 +192,8 @@ public function onGetPartnerUrlAjaxRequestHandler()
      */
     public function removePayPalAccount()
     {
+        check_ajax_referer( 'give_paypal_commerce_disconnect_account');
+
         if (! current_user_can('manage_give_settings')) {
             wp_send_json_error(['error' => esc_html__('You are not allowed to perform this action.', 'give')]);
         }