diff --git a/WordPress-Plugin-Security-Testing-Cheat-Sheet.md b/WordPress-Plugin-Security-Testing-Cheat-Sheet.md
index 696b740..018aaee 100644
--- a/WordPress-Plugin-Security-Testing-Cheat-Sheet.md
+++ b/WordPress-Plugin-Security-Testing-Cheat-Sheet.md
@@ -178,6 +178,13 @@ Use this [simple Burp Suite extention](https://gist.github.com/ethicalhack3r/7c2
 - ```wp_nonce_url()``` adds CSRF token to URL
 - ```wp_verify_nonce()``` checks the CSRF token validity server side
 - ```check_admin_referer()``` checks the CSRF token validity server side and came from admin screen
+- ```check_ajax_referer()``` checks the CSRF token validity server side for AJAX scripts
+
+### Gotcha
+
+Passing `false` or `0` as the third argument to `check_ajax_referer()` will not cause the script to die, making the check useless.
+
+Example:`check_ajax_referer( 'ajax-login-nonce', 'security', false );`
 
 ## SSL/TLS