ClassicPress 1.4.4 Release Notes

We’re happy to announce the release of ClassicPress 1.4.4.

This release contains security fixes to match the security changes in WordPress versions 6.0.3 and 4.9.22 (both released earlier this week). It is available now.

  • Stored XSS via wp-mail.php (post by email) – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
  • Open redirect in wp_nonce_aysdevrayn
  • Sender’s email address is exposed in wp-mail.php – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
  • Media Library – Reflected XSS via SQLi – Ben Bidner from the WordPress security team and Marc Montpas from Automattic independently discovered this issue
  • CSRF in wp-trackback.php – Simon Scannell
  • Stored XSS via the Customizer – Alex Concha from the WordPress security team
  • Revert shared user instances introduced in 50790 – Alex Concha and Ben Bidner from the WordPress security team
  • Stored XSS in WordPress Core via Comment Editing – Third-party security audit and Alex Concha from the WordPress security team
  • Data exposure via the REST Terms/Tags Endpoint – Than Taintor
  • Content from multipart emails leaked – Thomas Kräftner
  • RSS Widget: Stored XSS issue – Third-party security audit

For new features as compared to 1.4.3 and older releases of ClassicPress, please see the version 1.4.3 release notes.

If your ClassicPress site has automatic updates enabled (the default configuration), then the new version will be installed automatically. Otherwise, we recommend upgrading your site(s) to 1.4.4 to receive all latest fixes and updates.

Download this release

New sites Download
ClassicPress-release-1.4.4.zip
and follow the installation instructions.
Existing WordPress sites Download the migration plugin and follow the migration instructions.
Existing ClassicPress sites Use the built-in update mechanism (more info).

Full changelog

The full changelog is available on GitHub.

5 Likes