This is no longer the latest release of ClassicPress!
You can find the latest release at the top of the Release Notes subforum.
ClassicPress 1.1.4 is a security release to match the security changes in WordPress versions 5.4.2 and 4.9.15 (both released on June 10, 2020). It is available now.
If your ClassicPress site has automatic updates enabled (the default configuration), then the new version will be installed automatically. Otherwise, we strongly recommend applying this update from your site’s dashboard as soon as possible.
Security fixes since ClassicPress 1.1.3
- Props to Luigi – (gubello.me) for discovering an XSS issue where authenticated users with upload permissions are able to add JavaScript to media files.
- Props to Ben Bidner of the WordPress Security Team for finding an open redirect issue in
wp_validate_redirect()- Props to Nrimo Ing Pandum for finding an authenticated XSS issue via theme uploads
- Props to Simon Scannell of RIPS Technologies for finding an issue where
set-screen-optioncan be misused by plugins leading to privilege escalation
For more information about the security changes in this release, see the WordPress 4.9.15 release notes post.
Download this release
| New sites | DownloadClassicPress-release-1.1.4.zip (9.9 MB)and follow the installation instructions. |
|---|---|
| Existing WordPress sites | Download the migration plugin and follow the migration instructions. |
| Existing ClassicPress sites | Use the built-in update mechanism (more info). |
Full changelog
The full changelog is available on GitHub.