ClassicPress 1.1.1 Release Notes

This is no longer the latest release of ClassicPress!
You can find the latest release at the top of the Release Notes subforum.

ClassicPress 1.1.1 is a security release to match the security changes in WordPress versions 5.2.4 and 4.9.12 (both released on October 14, 2019). It is available now.

If your ClassicPress site has automatic updates enabled (the default configuration), then the new version will be installed automatically. Otherwise, we strongly recommend applying this update from your site’s dashboard as soon as possible.

Security fixes from ClassicPress 1.1.0

  • Props to Evan Ricafort for finding an issue where stored XSS (cross-site scripting) could be added via the Customizer.
  • Props to J.D. Grimes who found and disclosed a method of viewing unauthenticated posts.
  • Props to Weston Ruter for finding a way to create a stored XSS to inject Javascript into style tags.
  • Props to David Newman for highlighting a method to poison the cache of JSON GET requests via the Vary: Origin header.
  • Props to Eugene Kolodenker who found a server-side request forgery in the way that URLs are validated.
  • Props to Ben Bidner of the WordPress Security Team who discovered issues related to referrer validation in the admin.

For more information about the security changes in this release, see the WordPress 5.2.4 release notes post.

Other changes from ClassicPress 1.1.0

This release contains two changes to the build process. These changes do not affect the functionality of the ClassicPress release:

  • Improve the process for listing/building the emoji feature (details)
  • Keep build dependencies up to date (details)

Download this release

New sites Download (9.9 MB)
and follow the installation instructions.
Existing WordPress sites Download the migration plugin and follow the migration instructions.
Existing ClassicPress sites Use the built-in update mechanism (more info).

Full changelog

The full changelog is available on GitHub.