diff --git a/app/controllers/admin/column_preferences_controller.rb b/app/controllers/admin/column_preferences_controller.rb
index 64c028b104..0d7198b5b3 100644
--- a/app/controllers/admin/column_preferences_controller.rb
+++ b/app/controllers/admin/column_preferences_controller.rb
@@ -21,14 +21,18 @@ module Admin
 
     private
 
+    def permitted_params
+      params.permit(:action_name, column_preferences: [:id, :user_id, :action_name, :column_name, :visible])
+    end
+
     def load_collection
-      collection_hash = Hash[params[:column_preferences].each_with_index.map { |cp, i| [i, cp] }]
-      collection_hash.select!{ |_i, cp| cp[:action_name] == params[:action_name] }
+      collection_hash = Hash[permitted_params[:column_preferences].each_with_index.map { |cp, i| [i, cp] }]
+      collection_hash.select!{ |_i, cp| cp[:action_name] == permitted_params[:action_name] }
       @cp_set = ColumnPreferenceSet.new @column_preferences, collection_attributes: collection_hash
     end
 
     def collection
-      ColumnPreference.where(user_id: spree_current_user, action_name: params[:action_name])
+      ColumnPreference.where(user_id: spree_current_user, action_name: permitted_params[:action_name])
     end
 
     def collection_actions