We’re happy to announce the release of ClassicPress
This release contains security fixes to match the security changes in WordPress versions 6.0.3 and 4.9.22 (both released earlier this week). It is available now.
- Stored XSS via wp-mail.php (post by email) – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
- Open redirect in
- Sender’s email address is exposed in wp-mail.php – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
- Media Library – Reflected XSS via SQLi – Ben Bidner from the WordPress security team and Marc Montpas from Automattic independently discovered this issue
- CSRF in wp-trackback.php – Simon Scannell
- Stored XSS via the Customizer – Alex Concha from the WordPress security team
- Revert shared user instances introduced in 50790 – Alex Concha and Ben Bidner from the WordPress security team
- Stored XSS in WordPress Core via Comment Editing – Third-party security audit and Alex Concha from the WordPress security team
- Data exposure via the REST Terms/Tags Endpoint – Than Taintor
- Content from multipart emails leaked – Thomas Kräftner
- RSS Widget: Stored XSS issue – Third-party security audit
For new features as compared to
1.4.3 and older releases of ClassicPress, please see the version
1.4.3 release notes.
If your ClassicPress site has automatic updates enabled (the default configuration), then the new version will be installed automatically. Otherwise, we recommend upgrading your site(s) to
1.4.4 to receive all latest fixes and updates.
and follow the installation instructions.
|Existing WordPress sites||Download the migration plugin and follow the migration instructions.|
|Existing ClassicPress sites||Use the built-in update mechanism (more info).|
The full changelog is available on GitHub.