ClassicPress 1.1.4 Release Notes

This is no longer the latest release of ClassicPress!
You can find the latest release at the top of the Release Notes subforum.

ClassicPress 1.1.4 is a security release to match the security changes in WordPress versions 5.4.2 and 4.9.15 (both released on June 10, 2020). It is available now.

If your ClassicPress site has automatic updates enabled (the default configuration), then the new version will be installed automatically. Otherwise, we strongly recommend applying this update from your site’s dashboard as soon as possible.

Security fixes since ClassicPress 1.1.3

  • Props to Luigi – ( for discovering an XSS issue where authenticated users with upload permissions are able to add JavaScript to media files.
  • Props to Ben Bidner of the WordPress Security Team for finding an open redirect issue in wp_validate_redirect()
  • Props to Nrimo Ing Pandum for finding an authenticated XSS issue via theme uploads
  • Props to Simon Scannell of RIPS Technologies for finding an issue where set-screen-option can be misused by plugins leading to privilege escalation

For more information about the security changes in this release, see the WordPress 4.9.15 release notes post.

Download this release

New sites Download (9.9 MB)
and follow the installation instructions.
Existing WordPress sites Download the migration plugin and follow the migration instructions.
Existing ClassicPress sites Use the built-in update mechanism (more info).

Full changelog

The full changelog is available on GitHub.