ClassicPress 1.1.2 Release Notes

ClassicPress 1.1.2 is a security release to match the security changes in WordPress versions 5.3.1 and 4.9.13 (both released on December 12, 2019). It is available now.

If your ClassicPress site has automatic updates enabled (the default configuration), then the new version will be installed automatically. Otherwise, we strongly recommend applying this update from your site’s dashboard as soon as possible.

Security fixes from ClassicPress 1.1.1

  • Props to Daniel Bachhuber for finding an issue where an unprivileged user could make a post sticky via the REST API.
  • Props to Simon Scannell of RIPS Technologies for finding and disclosing an issue where cross-site scripting (XSS) could be stored in well-crafted links.
  • Props to the WordPress Security Team for hardening wp_kses_bad_protocol() to ensure that it is aware of the named colon attribute.

For more information about the security changes in this release, see the WordPress 4.9.13 release notes post.

Download this release

New sites Download (9.9 MB)
and follow the installation instructions.
Existing WordPress sites Download the migration plugin and follow the migration instructions.
Existing ClassicPress sites Use the built-in update mechanism (more info).

Full changelog

The full changelog is available on GitHub.