We’re happy to announce the first release candidate for ClassicPress
This release focuses on improving Accessibility in ClassicPress. Accessibility is a key focus for ClassicPress and we will continue to make improvements. We’re happy with these changes so far but they need more testing by the community before a full release including automatic updates.
This release also includes all recent WordPress security fixes. These fixes are best understood as “hardening” - we are not aware of any directly exploitable vulnerabilities in ClassicPress. If you have any questions about this or any security issues to report, as always, please practice responsible disclosure and contact [email protected].
We encourage you to try out this release candidate by pasting the zipfile URL into the “Advanced” section of the migration plugin, and letting us know if you see any issues. See instructions and links below, under the “Download this release → Existing ClassicPress sites” section.
New features since
Add new filter to allow wp_mail() to be bypassed which adds a new filter
pre_wp_mailwhich allows plugins to access the $atts array that contains the to, subject, message, headers and attachments that were to be processed. Thanks to @MattyRob for helping to backport these changes (#645).
- Add support for the
wp_body_open()hook (#647, thanks @1stepforward and WP contributors)
Accessibility improvements since
- Make the Widgets screen “Enable accessibility mode” link more discoverable (#700, thanks @MarcoZ and WP contributors)
- Networks and Sites: mark the New Site required form fields as required (#701, thanks @MarcoZ and WP contributors)
- Insert Link modal: Improve keyboard interaction (#688, thanks @MarcoZ and WP contributors)
- Themes: use
Walker_Pagecurrent link (#694, thanks @MarcoZ and WP contributors)
- Semantic elements for non-link links: class-wp-posts-list-table.php (#697, thanks @MarcoZ and WP contributors)
- Update default fallback color for SVG icons (#691, thanks @MarcoZ and WP contributors)
- Fix a regression in the old media modal pagination links (#689, thanks @MarcoZ and WP contributors)
- Change the media upload “Dismiss error” link to a button (#698, thanks @MarcoZ and WP contributors)
aria-currentfor the paginated post links output by
wp_link_pages()(#696, thanks @MarcoZ and WP contributors)
- Improve the usage of a few label elements in the media templates (#685, thanks @MarcoZ and WP contributors)
- Improve the “URL” and “Alt text” fields in the media modals (#562, thanks @omukiguy and WP contributors)
- Improve display and accessibility of meta data in detail view (#693, thanks @MarcoZ and WP contributors)
Minor changes and fixes since
- Add new ClassicPress tagline (#654, thanks @omukiguy)
- Check that
$wpdb->last_resultis countable (#649, thanks @MattyRob and WP contributors)
- Remove polyfills for PHP < 5.6 (#622, thanks @MattyRob and WP contributors)
- Ensure user data is fully deleted on Multisite installs (#593, thanks @MattyRob and WP contributors)
- Pause any playing media when closing the the media modal (#657, thanks @MattyRob and WP contributors)
- Update the Root Certificate bundle (#639, thanks @MattyRob and WP contributors)
Development improvements and fixes since
- Switch from Travis CI to GitHub Actions for automated tests (#655 & #661, thanks @MattyRob and @1stepforward)
- Add some clarity to contributors file (#710, thanks @omukiguy)
- Keep all build dependencies up to date (multiple PRs, thanks renovate-bot)
Security fixes since ClassicPress
- Props to Alex Concha of the WordPress Security Team for their work in hardening deserialization requests.
- Props to David Binovec on a fix to disable spam embeds from disabled sites on a multisite network.
- Thanks to Marc Montas from Sucuri for reporting an issue that could lead to XSS from global variables.
- Thanks to Justin Tran who reported an issue surrounding privilege escalation in XML-RPC. He also found and disclosed an issue around privilege escalation around post commenting via XML-RPC.
- Props to Omar Ganiev who reported a method where a DoS attack could lead to RCE.
- Thanks to Karim El Ouerghemmi from RIPS who disclosed a method to store XSS in post slugs.
- Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a method to bypass protected meta that could lead to arbitrary file deletion.
- And a special thanks to zieladam who was integral in many of the releases and patches during this release.
- thank you SonarSource for reporting an XXE vulnerability within the media library affecting PHP 8
- thanks Mikael Korpela for reporting a data exposure vulnerability within the latest posts block and REST API
- Object injection in PHPMailer, CVE-2020-36326 and CVE-2018-19296.
Download this release
and follow the installation instructions.
|Existing WordPress sites||Download the migration plugin and follow the migration instructions.|
|Existing ClassicPress sites||Use the “Advanced” section of the migration plugin to switch to the release build (same link as for “New sites” above). This version will be available using the built-in update mechanism when it is released as
The full changelog is available on GitHub.