$widgets_access = get_user_setting( 'widgets_access' );
if ( isset($_GET['widgets-access']) ) {
+ check_admin_referer( 'widgets-access' );
+
$widgets_access = 'on' == $_GET['widgets-access'] ? 'on' : 'off';
set_user_setting( 'widgets_access', $widgets_access );
}