jQuery patch in 1.0.2 did not receive a new version number

Question about the jQuery patch - although Github says the jQuery 3.4.0 security patch has been applied to jQuery 1.12.4 as used in ClassicPress, when you load a CP 1.0.2 site and view source, the jQuery script tag still shows version 1.12.4. This means two things:

  1. It will not be reloaded for a while on sites that have a cache operating, so the vulnerability will still be present
  2. Penetration testing tools may not realise the file is patched and would therefore still report a vulnerability.

Can anything be done about this?


I think this is worth fixing in our upcoming 1.1.0 release, for example by bumping the jQuery version to 1.12.4-wp1. Tracking this issue here - https://github.com/ClassicPress/ClassicPress/issues/476


Thanks James.

1 Like