ClassicPress 1.3.0 Release Notes

This is no longer the latest release of ClassicPress!
You can find the latest release at the top of the Release Notes subforum.

We’re happy to announce the release of ClassicPress 1.3.0. This release focuses on improving accessibility, which is an important goal for ClassicPress now and going forward. This release also contains several bug fixes and security fixes.

If your ClassicPress site has automatic updates enabled (the default configuration), then the new version will be installed automatically. Otherwise, you can upgrade your site(s) to 1.3.0 as you have time.

New features since 1.2.0

  • Add new filter to allow wp_mail() to be bypassed which adds a new filter pre_wp_mail which allows plugins to access the $atts array that contains the to, subject, message, headers and attachments that were to be processed. Thanks to @MattyRob for helping to backport these changes (#645).
  • Add support for the wp_body_open() hook (#647, thanks @1stepforward and WP contributors)

Accessibility improvements since 1.2.0

  • Make the Widgets screen “Enable accessibility mode” link more discoverable (#700, thanks @MarcoZ and WP contributors)
  • Networks and Sites: mark the New Site required form fields as required (#701, thanks @MarcoZ and WP contributors)
  • Insert Link modal: Improve keyboard interaction (#688, thanks @MarcoZ and WP contributors)
  • Themes: use aria-current for the Walker_Page current link (#694, thanks @MarcoZ and WP contributors)
  • Semantic elements for non-link links: class-wp-posts-list-table.php (#697, thanks @MarcoZ and WP contributors)
  • Update default fallback color for SVG icons (#691, thanks @MarcoZ and WP contributors)
  • Fix a regression in the old media modal pagination links (#689, thanks @MarcoZ and WP contributors)
  • Change the media upload “Dismiss error” link to a button (#698, thanks @MarcoZ and WP contributors)
  • use aria-current for the paginated post links output by wp_link_pages() (#696, thanks @MarcoZ and WP contributors)
  • Improve the usage of a few label elements in the media templates (#685, thanks @MarcoZ and WP contributors)
  • Improve the “URL” and “Alt text” fields in the media modals (#562, thanks @omukiguy and WP contributors)
  • Improve display and accessibility of meta data in detail view (#693, thanks @MarcoZ and WP contributors)

Minor changes and fixes since 1.2.0

  • Add new ClassicPress tagline (#654, thanks @omukiguy)
  • Check that $wpdb->last_result is countable (#649, thanks @MattyRob and WP contributors)
  • Remove polyfills for PHP < 5.6 (#622, thanks @MattyRob and WP contributors)
  • Ensure user data is fully deleted on Multisite installs (#593, thanks @MattyRob and WP contributors)
  • Pause any playing media when closing the the media modal (#657, thanks @MattyRob and WP contributors)
  • Update the Root Certificate bundle (#639, thanks @MattyRob and WP contributors)

Development improvements and fixes since 1.2.0

Security fixes since ClassicPress 1.2.0

  • Props to Alex Concha of the WordPress Security Team for their work in hardening deserialization requests.
  • Props to David Binovec on a fix to disable spam embeds from disabled sites on a multisite network.
  • Thanks to Marc Montas from Sucuri for reporting an issue that could lead to XSS from global variables.
  • Thanks to Justin Tran who reported an issue surrounding privilege escalation in XML-RPC. He also found and disclosed an issue around privilege escalation around post commenting via XML-RPC.
  • Props to Omar Ganiev who reported a method where a DoS attack could lead to RCE.
  • Thanks to Karim El Ouerghemmi from RIPS who disclosed a method to store XSS in post slugs.
  • Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a method to bypass protected meta that could lead to arbitrary file deletion.
  • And a special thanks to zieladam who was integral in many of the releases and patches during this release.
  • thank you SonarSource for reporting an XXE vulnerability within the media library affecting PHP 8
  • thanks Mikael Korpela for reporting a data exposure vulnerability within the latest posts block and REST API
  • Object injection in PHPMailer, CVE-2020-36326 and CVE-2018-19296.

For more information about the security changes in this release, see the WordPress release notes posts for 4.9.16, 4.9.17, and 4.9.18.

Download this release

New sites Download
and follow the installation instructions.
Existing WordPress sites Download the migration plugin and follow the migration instructions.
Existing ClassicPress sites Use the built-in update mechanism (more info).

Full changelog

The full changelog is available on GitHub.