diff --git a/src/wp-admin/includes/ajax-actions.php b/src/wp-admin/includes/ajax-actions.php
index 2af08fba70af9..4043e39154072 100644
--- a/src/wp-admin/includes/ajax-actions.php
+++ b/src/wp-admin/includes/ajax-actions.php
@@ -338,11 +338,11 @@ function wp_ajax_autocomplete_user() {
 			'fields'  => 'ID',
 		)
 	) : array() );
-
+	$term = isset( $_REQUEST['term'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['term'] ) ) : '';
 	$users = get_users(
 		array(
 			'blog_id'        => false,
-			'search'         => '*' . $_REQUEST['term'] . '*',
+			'search'         => '*' . $term . '*',
 			'include'        => $include_blog_users,
 			'exclude'        => $exclude_blog_users,
 			'search_columns' => array( 'user_login', 'user_nicename', 'user_email' ),