diff --git a/app/controllers/spree/admin/base_controller.rb b/app/controllers/spree/admin/base_controller.rb
index 4028cf76ec..09ea88e90a 100644
--- a/app/controllers/spree/admin/base_controller.rb
+++ b/app/controllers/spree/admin/base_controller.rb
@@ -83,7 +83,7 @@ module Spree
         return unless protect_against_forgery?
 
         auth_token = params[request_forgery_protection_token]
-        return if auth_token && form_authenticity_token == URI.unescape(auth_token)
+        return if auth_token && form_authenticity_token == CGI.unescape(auth_token)
 
         raise(ActionController::InvalidAuthenticityToken)
       end