diff --git a/Admin/Templates/editPlus.tpl b/Admin/Templates/editPlus.tpl
index e4e25486..9f60ba38 100644
--- a/Admin/Templates/editPlus.tpl
+++ b/Admin/Templates/editPlus.tpl
@@ -66,6 +66,7 @@ if($id){
     </div>
 
     <form action="../GameEngine/Admin/Mods/editPlus.php" method="POST">
+        <?php echo csrf_field(); ?>
         <input type="hidden" name="admid" value="<?php echo $_SESSION['id'];?>">
         <input type="hidden" name="uid" value="<?php echo $uid;?>">
         <input type="hidden" name="id" value="<?php echo $id;?>">
diff --git a/Admin/Templates/givePlus.tpl b/Admin/Templates/givePlus.tpl
index 2dd5953f..cfbb00e3 100644
--- a/Admin/Templates/givePlus.tpl
+++ b/Admin/Templates/givePlus.tpl
@@ -55,6 +55,7 @@ $id = $_SESSION['id'];
     <p>Activate Travian Plus for ALL players on the server.</p>
 
     <form action="../GameEngine/Admin/Mods/givePlus.php" method="POST" class="plus-form">
+      <?php echo csrf_field(); ?>
       <input type="hidden" name="admid" value="<?php echo $id; ?>">
       <input type="number" name="plus" value="1" min="1" max="365" required>
       <span>Days</span>
diff --git a/Admin/Templates/givePlusRes.tpl b/Admin/Templates/givePlusRes.tpl
index 7a6c86b4..6739af5c 100644
--- a/Admin/Templates/givePlusRes.tpl
+++ b/Admin/Templates/givePlusRes.tpl
@@ -62,6 +62,7 @@ $id = $_SESSION['id'];
     </div>
 
     <form action="../GameEngine/Admin/Mods/givePlusRes.php" method="POST" class="resbonus-form">
+      <?php echo csrf_field(); ?>
       <input type="hidden" name="admid" value="<?php echo $id; ?>">
       
       <div class="res-grid">
diff --git a/Admin/Templates/gold.tpl b/Admin/Templates/gold.tpl
index 992d5134..59df1a27 100644
--- a/Admin/Templates/gold.tpl
+++ b/Admin/Templates/gold.tpl
@@ -52,6 +52,7 @@ $id = $_SESSION['id'];
     <p>This gold will be added to ALL active players on the server.</p>
 
     <form action="../GameEngine/Admin/Mods/gold.php" method="POST" class="gold-form">
+      <?php echo csrf_field(); ?>
       <input type="hidden" name="admid" value="<?php echo $id; ?>">
       <input type="number" name="gold" value="20" min="1" max="9999" required>
       <button type="submit">
diff --git a/Admin/Templates/usergold.tpl b/Admin/Templates/usergold.tpl
index 592b4600..5a5b0401 100644
--- a/Admin/Templates/usergold.tpl
+++ b/Admin/Templates/usergold.tpl
@@ -60,6 +60,7 @@ $id = $_SESSION['id'];
     </div>
 
     <form action="../GameEngine/Admin/Mods/gold_1.php" method="POST" class="usergold-form">
+      <?php echo csrf_field(); ?>
       <input type="hidden" name="admid" value="<?php echo $id; ?>">
       
       <div class="field">
diff --git a/GameEngine/Admin/Mods/editPlus.php b/GameEngine/Admin/Mods/editPlus.php
index 5ba776e6..f6678caf 100755
--- a/GameEngine/Admin/Mods/editPlus.php
+++ b/GameEngine/Admin/Mods/editPlus.php
@@ -17,6 +17,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
     die("Access Denied: You are not Admin!");
 }
 
+// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+// itself (it does not go through admin.php's central csrf_verify()).
+require_once(__DIR__ . '/../csrf.php');
+csrf_verify();
+
 include_once("../../config.php");
 
 // ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/givePlus.php b/GameEngine/Admin/Mods/givePlus.php
index 46b33021..34cae608 100755
--- a/GameEngine/Admin/Mods/givePlus.php
+++ b/GameEngine/Admin/Mods/givePlus.php
@@ -18,6 +18,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
     die("Access Denied: You are not Admin!");
 }
 
+// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+// itself (it does not go through admin.php's central csrf_verify()).
+require_once(__DIR__ . '/../csrf.php');
+csrf_verify();
+
 include_once("../../config.php");
 
 // ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/givePlusRes.php b/GameEngine/Admin/Mods/givePlusRes.php
index b15eddb4..b67ff9c7 100755
--- a/GameEngine/Admin/Mods/givePlusRes.php
+++ b/GameEngine/Admin/Mods/givePlusRes.php
@@ -17,6 +17,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
     die("Access Denied: You are not Admin!");
 }
 
+// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+// itself (it does not go through admin.php's central csrf_verify()).
+require_once(__DIR__ . '/../csrf.php');
+csrf_verify();
+
 include_once("../../config.php");
 
 // ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/gold.php b/GameEngine/Admin/Mods/gold.php
index 7b106443..12ba52c0 100755
--- a/GameEngine/Admin/Mods/gold.php
+++ b/GameEngine/Admin/Mods/gold.php
@@ -12,6 +12,12 @@
 #################################################################################
 if (!isset($_SESSION)) session_start();
 if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!");
+
+// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+// itself (it does not go through admin.php's central csrf_verify()).
+require_once(__DIR__ . '/../csrf.php');
+csrf_verify();
+
 include_once("../../config.php");
 
 error_reporting(E_ALL);
diff --git a/GameEngine/Admin/Mods/gold_1.php b/GameEngine/Admin/Mods/gold_1.php
index aeab4e15..51846dc2 100755
--- a/GameEngine/Admin/Mods/gold_1.php
+++ b/GameEngine/Admin/Mods/gold_1.php
@@ -15,6 +15,11 @@
 if (!isset($_SESSION)) session_start();
 if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!");
 
+// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+// itself (it does not go through admin.php's central csrf_verify()).
+require_once(__DIR__ . '/../csrf.php');
+csrf_verify();
+
 include_once("../../config.php");
 include_once("../../Database.php");