diff --git a/app/controllers/spree/admin/orders/customer_details_controller.rb b/app/controllers/spree/admin/orders/customer_details_controller.rb
index e7bb5bf366..989e73fa46 100644
--- a/app/controllers/spree/admin/orders/customer_details_controller.rb
+++ b/app/controllers/spree/admin/orders/customer_details_controller.rb
@@ -18,7 +18,7 @@ module Spree
         end
 
         def update
-          if @order.update_attributes(params[:order])
+          if @order.update_attributes(order_params)
             if params[:guest_checkout] == "false"
               @order.associate_user!(Spree.user_class.find_by(email: @order.email))
             end
@@ -41,6 +41,15 @@ module Spree
 
         private
 
+        def order_params
+          params.require(:order).permit(
+            :email,
+            :use_billing,
+            :bill_address_attributes => permitted_address_attributes,
+            :ship_address_attributes => permitted_address_attributes
+          )
+        end
+
         def load_order
           @order = Order.find_by_number!(params[:order_id], include: :adjustments)
         end