$_REQUEST['term'] used unsanitized in user search query

User-supplied search term is concatenated directly into the get_users() search argument without
  sanitize_text_field() or wp_unslash().

Author: rajeshcpr

src/wp-admin/includes/ajax-actions.php

@@ -338,11 +338,11 @@ function wp_ajax_autocomplete_user() {
 			'fields'  => 'ID',
 		)
 	) : array() );
-
+	$term = isset( $_REQUEST['term'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['term'] ) ) : '';
 	$users = get_users(
 		array(
 			'blog_id'        => false,
-			'search'         => '*' . $_REQUEST['term'] . '*',
+			'search'         => '*' . $term . '*',
 			'include'        => $include_blog_users,
 			'exclude'        => $exclude_blog_users,
 			'search_columns' => array( 'user_login', 'user_nicename', 'user_email' ),