ClassicPress 1.1.1
16 November 2019
ClassicPress version 1.1.1 is now available (major release).
What's New in ClassicPress 1.1.1
ClassicPress 1.1.1 is a security release to match the security changes in WordPress versions 5.2.4 and 4.9.12 (both released on October 14, 2019).
Security fixes from ClassicPress 1.1.0
- Props to Evan Ricafort for finding an issue where stored XSS (cross-site scripting) could be added via the Customizer.
- Props to J.D. Grimes who found and disclosed a method of viewing unauthenticated posts.
- Props to Weston Ruter for finding a way to create a stored XSS to inject Javascript into style tags.
- Props to David Newman for highlighting a method to poison the cache of JSON GET requests via the Vary: Origin header.
- Props to Eugene Kolodenker who found a server-side request forgery in the way that URLs are validated.
- Props to Ben Bidner of the WordPress Security Team who discovered issues related to referrer validation in the admin.
For more information about the security changes in this release, see the WordPress 5.2.4 release notes post.
Other changes from ClassicPress 1.1.0
This release contains two changes to the build process. These changes do not affect the functionality of the ClassicPress release:
- Improve the process for listing/building the emoji feature (details)
- Keep build dependencies up to date (details)