Skip to content

ClassicPress 1.4.4
Compare
Choose a tag to compare
@mattyrob mattyrob released this 27 Oct 15:56
1.4.4
This tag was signed with the committer’s verified signature.
nylen James Nylen
GPG key ID: 41B87D2579C0F7BD
Learn about vigilant mode.
3a46a27

ClassicPress 1.4.4 is available now - use the "Source code (zip)" file below.

Here are the highlights from this release:

Notable changes since ClassicPress 1.4.3

  • Stored XSS via wp-mail.php (post by email) – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
  • Open redirect in wp_nonce_ays – devrayn
  • Sender’s email address is exposed in wp-mail.php – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
  • Media Library – Reflected XSS via SQLi – Ben Bidner from the WordPress security team and Marc Montpas from Automattic independently discovered this issue
  • CSRF in wp-trackback.php – Simon Scannell
  • Stored XSS via the Customizer – Alex Concha from the WordPress security team
  • Revert shared user instances introduced in 50790 – Alex Concha and Ben Bidner from the WordPress security team
  • Stored XSS in WordPress Core via Comment Editing – Third-party security audit and Alex Concha from the WordPress security team
  • Data exposure via the REST Terms/Tags Endpoint – Than Taintor
  • Content from multipart emails leaked – Thomas Kräftner
  • RSS Widget: Stored XSS issue – Third-party security audit

More information

See the release announcement post on our forums for more details, or have a look at the full changelog here on GitHub:

ClassicPress/ClassicPress@1.4.3+dev...1.4.4+dev

Assets 2
Loading