Question about the jQuery patch - although Github says the jQuery 3.4.0 security patch has been applied to jQuery 1.12.4 as used in ClassicPress, when you load a CP 1.0.2 site and view source, the jQuery script tag still shows version 1.12.4. This means two things:
- It will not be reloaded for a while on sites that have a cache operating, so the vulnerability will still be present
- Penetration testing tools may not realise the file is patched and would therefore still report a vulnerability.
Can anything be done about this?