ClassicPress 1.3.0-rc1 Release Notes

We’re happy to announce the first release candidate for ClassicPress 1.3.0.

This release focuses on improving Accessibility in ClassicPress. Accessibility is a key focus for ClassicPress and we will continue to make improvements. We’re happy with these changes so far but they need more testing by the community before a full release including automatic updates.

This release also includes all recent WordPress security fixes. These fixes are best understood as “hardening” - we are not aware of any directly exploitable vulnerabilities in ClassicPress. If you have any questions about this or any security issues to report, as always, please practice responsible disclosure and contact [email protected].

We encourage you to try out this release candidate by pasting the zipfile URL into the “Advanced” section of the migration plugin, and letting us know if you see any issues. See instructions and links below, under the “Download this releaseExisting ClassicPress sites” section.

New features since 1.2.0

  • Add new filter to allow wp_mail() to be bypassed which adds a new filter pre_wp_mail which allows plugins to access the $atts array that contains the to, subject, message, headers and attachments that were to be processed. Thanks to @MattyRob for helping to backport these changes (#645).
  • Add support for the wp_body_open() hook (#647, thanks @1stepforward and WP contributors)

Accessibility improvements since 1.2.0

  • Make the Widgets screen “Enable accessibility mode” link more discoverable (#700, thanks @MarcoZ and WP contributors)
  • Networks and Sites: mark the New Site required form fields as required (#701, thanks @MarcoZ and WP contributors)
  • Insert Link modal: Improve keyboard interaction (#688, thanks @MarcoZ and WP contributors)
  • Themes: use aria-current for the Walker_Page current link (#694, thanks @MarcoZ and WP contributors)
  • Semantic elements for non-link links: class-wp-posts-list-table.php (#697, thanks @MarcoZ and WP contributors)
  • Update default fallback color for SVG icons (#691, thanks @MarcoZ and WP contributors)
  • Fix a regression in the old media modal pagination links (#689, thanks @MarcoZ and WP contributors)
  • Change the media upload “Dismiss error” link to a button (#698, thanks @MarcoZ and WP contributors)
  • use aria-current for the paginated post links output by wp_link_pages() (#696, thanks @MarcoZ and WP contributors)
  • Improve the usage of a few label elements in the media templates (#685, thanks @MarcoZ and WP contributors)
  • Improve the “URL” and “Alt text” fields in the media modals (#562, thanks @omukiguy and WP contributors)
  • Improve display and accessibility of meta data in detail view (#693, thanks @MarcoZ and WP contributors)

Minor changes and fixes since 1.2.0

  • Add new ClassicPress tagline (#654, thanks @omukiguy)
  • Check that $wpdb->last_result is countable (#649, thanks @MattyRob and WP contributors)
  • Remove polyfills for PHP < 5.6 (#622, thanks @MattyRob and WP contributors)
  • Ensure user data is fully deleted on Multisite installs (#593, thanks @MattyRob and WP contributors)
  • Pause any playing media when closing the the media modal (#657, thanks @MattyRob and WP contributors)
  • Update the Root Certificate bundle (#639, thanks @MattyRob and WP contributors)

Development improvements and fixes since 1.2.0

Security fixes since ClassicPress 1.2.0

  • Props to Alex Concha of the WordPress Security Team for their work in hardening deserialization requests.
  • Props to David Binovec on a fix to disable spam embeds from disabled sites on a multisite network.
  • Thanks to Marc Montas from Sucuri for reporting an issue that could lead to XSS from global variables.
  • Thanks to Justin Tran who reported an issue surrounding privilege escalation in XML-RPC. He also found and disclosed an issue around privilege escalation around post commenting via XML-RPC.
  • Props to Omar Ganiev who reported a method where a DoS attack could lead to RCE.
  • Thanks to Karim El Ouerghemmi from RIPS who disclosed a method to store XSS in post slugs.
  • Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a method to bypass protected meta that could lead to arbitrary file deletion.
  • And a special thanks to zieladam who was integral in many of the releases and patches during this release.
  • thank you SonarSource for reporting an XXE vulnerability within the media library affecting PHP 8
  • thanks Mikael Korpela for reporting a data exposure vulnerability within the latest posts block and REST API
  • Object injection in PHPMailer, CVE-2020-36326 and CVE-2018-19296.

For more information about the security changes in this release, see the WordPress release notes posts for 4.9.16, 4.9.17, and 4.9.18.

Download this release

New sites Download
ClassicPress-release-1.3.0-rc1.zip (9.9 MB)
and follow the installation instructions.
Existing WordPress sites Download the migration plugin and follow the migration instructions.
Existing ClassicPress sites Use the “Advanced” section of the migration plugin to switch to the release build (same link as for “New sites” above). This version will be available using the built-in update mechanism when it is released as 1.3.0 final.

Full changelog

The full changelog is available on GitHub.

6 Likes

A special thanks to @MattyRob and @omukiguy who were integral for this release :classicpress:

6 Likes