ClassicPress 1.4.4 Release Notes

This is no longer the latest release of ClassicPress!
You can find the latest release at the top of the Release Notes subforum.

We’re happy to announce the release of ClassicPress 1.4.4.

This release contains security fixes to match the security changes in WordPress versions 6.0.3 and 4.9.22 (both released earlier this week). It is available now.

• Stored XSS via wp-mail.php (post by email) – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
• Open redirect in wp_nonce_ays – devrayn
• Sender’s email address is exposed in wp-mail.php – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
• Media Library – Reflected XSS via SQLi – Ben Bidner from the WordPress security team and Marc Montpas from Automattic independently discovered this issue
• CSRF in wp-trackback.php – Simon Scannell
• Stored XSS via the Customizer – Alex Concha from the WordPress security team
• Revert shared user instances introduced in 50790 – Alex Concha and Ben Bidner from the WordPress security team
• Stored XSS in WordPress Core via Comment Editing – Third-party security audit and Alex Concha from the WordPress security team
• Data exposure via the REST Terms/Tags Endpoint – Than Taintor
• Content from multipart emails leaked – Thomas Kräftner
• RSS Widget: Stored XSS issue – Third-party security audit

For new features as compared to 1.4.3 and older releases of ClassicPress, please see the version 1.4.3 release notes.

If your ClassicPress site has automatic updates enabled (the default configuration), then the new version will be installed automatically. Otherwise, we recommend upgrading your site(s) to 1.4.4 to receive all latest fixes and updates.

Download this release

Full changelog

The full changelog is available on GitHub.