ClassicPress 1.3.0-rc1

ClassicPress 1.3.0-rc1 is available now - use the "Source code (zip)" file below.

Here are the highlights from this release:

Major changes since ClassicPress 1.2.0

This release focuses on improving Accessibility in ClassicPress. Accessibility is a key focus for ClassicPress and we will continue to make improvements. We’re happy with these changes so far but they need more testing by the community before a full release including automatic updates.

This release also includes all recent WordPress security fixes. These fixes are best understood as "hardening" - we are not aware of any directly exploitable vulnerabilities in ClassicPress. If you have any questions about this or any security issues to report, as always, please practice responsible disclosure and contact security@classicpress.net.

More information

See the release announcement post on our forums for more details, or have a look at the full changelog here on GitHub:

ClassicPress/ClassicPress@1.2.0+dev...1.3.0-rc1+dev

ClassicPress 1.2.0

ClassicPress 1.2.0 is available now - use the "Source code (zip)" file below.

Here are the highlights from this release:

Major changes since ClassicPress 1.1.4

• Full support for PHP 7.4 in all known core code
• Our first new feature that started as an organic idea from our own community
• and a lot of smaller bugfixes and polishing.

More information

See the release announcement post on our forums for more details, or have a look at the full changelog here on GitHub:

ClassicPress/ClassicPress@1.2.0-rc1+dev...1.2.0+dev

ClassicPress 1.2.0-rc1

ClassicPress 1.2.0-rc1 adds full support for PHP 7.4 in all known core code, our first new feature that started as an organic idea from our own community, and a lot of smaller bugfixes and polishing.

It is available now - use the "Source code (zip)" file below. We’re happy with these changes so far but they need more testing by the community before a full release including automatic updates.

We encourage you to try out this release candidate by pasting the zipfile URL into the "Advanced" section of the migration plugin, and letting us know if you see any issues.

New features since 1.1.4

A new setting to allow specifying a custom image on the login screen, based on a community petition. This is our second try at implementing this feature. More details including screenshots are available on the main GitHub PR (#601). Thanks to @bahiirwa for helping to code this feature.

Full support for PHP 7.4 at least when running ClassicPress itself. Plugins and themes may still need updating for full PHP 7.4 compatibility with no notices or warnings, and there may still be some cases where ClassicPress can work together better with plugins or themes in order to ensure compatibility. Here is one example of non-standard theme code causing a notice that will be fixed in a future ClassicPress release. Thanks to @mattyrob for helping to backport some of these changes (see #541 and #603).

Minor changes and fixes since 1.1.4

• Update wording that links to privacy policy (#615)
• Fix a backward compatibility issue with the new set_screen_option_{$option} filter (#589, thanks @mattyrob and WP contributors)
• Fix PHP notice and unexpected behavior when editing a post with an invalid author (#572, thanks @mattyrob)
• Prevent update notices from the default Twenty Fifteen, Sixteen, Seventeen themes for new sites (#559, thanks @timbocode for reviewing)
• Improve compatibility with more MySQL server configurations (#558)
• Guard against duplicate MIME-Version header in outgoing emails (#528, thanks @mattyrob and WP contributors)
• Fix the return value of the classicpress_version_short() function for some build types (#511)
• Fix the admin bar logo position with the Twenty Twenty theme (#533)
• Use robots meta tag to better discourage search engines (#535, thanks @mattyrob and WP contributors)
• Remove angle brackets from password reset URL in email to avoid broken links (#536, thanks @mattyrob and WP contributors)
• Add rel="noopener noreferrer" to plugins screen links (#532, thanks @bahiirwa)
• Improve readability of the About page in the dashboard (#512, #513, thanks @pattonwebz and @bahiirwa for reviewing)
• Add unique classes to the user profile editing page <h2> tags to facilitate styling (#448, thanks @johnalarcon)

Development improvements and fixes since 1.1.4

• Decrease the number of npm dependencies required to build ClassicPress by about 40% (#606, #607, #608). There is still more to do but these changes have already made the process of preparing builds and releases much faster!
• Improve PHPUnit testing documentation (#563, #566, thanks @bahiirwa for reviewing)
• Prepare the translation extraction script for our new translation system (#547)
• Keep all build dependencies up to date (multiple PRs, thanks renovate-bot)
• Several changes and fixes to the script we use to backport changes from WordPress (#540, #548, #549, #554, #585)

More information

• Release announcement post
• Full changelog: ClassicPress/ClassicPress@1.1.4+dev...1.2.0-rc1+dev

ClassicPress 1.1.4

ClassicPress 1.1.4 is a security release to match the security changes in WordPress versions 5.4.2 and 4.9.15 (both released on June 10, 2020).

It is available now - use the "Source code (zip)" file below.

Security fixes since ClassicPress 1.1.3

• Props to Luigi – (gubello.me) for discovering an XSS issue where authenticated users with upload permissions are able to add JavaScript to media files.
• Props to Ben Bidner of the WordPress Security Team for finding an open redirect issue in wp_validate_redirect()
• Props to Nrimo Ing Pandum for finding an authenticated XSS issue via theme uploads
• Props to Simon Scannell of RIPS Technologies for finding an issue where set-screen-option can be misused by plugins leading to privilege escalation

For more information about the security changes in this release, see the WordPress 4.9.15 release notes post.

More information

• Release announcement post
• Full changelog: ClassicPress/ClassicPress@1.1.3+dev...1.1.4+dev

ClassicPress 1.1.3

ClassicPress 1.1.3 is a security release to match the security changes in WordPress versions 5.4.1 and 4.9.14 (both released on April 29, 2020).

It is available now - use the "Source code (zip)" file below.

Security fixes since ClassicPress 1.1.2

• Props to Muaz Bin Abdus Sattar and Jannes who both independently reported an issue where password reset tokens were not properly invalidated
• Props to ka1n4t for finding an issue where certain private posts can be viewed unauthenticated
• Props to Evan Ricafort for discovering an XSS issue in the Customizer
• Props to Nick Daugherty from WPVIP.com / WordPress Security Team who discovered an XSS issue in wp-object-cache
• Props to Ronnie Goodrich (Kahoots) and Jason Medeiros who independently reported an XSS issue in file uploads.

For more information about the security changes in this release, see the WordPress 4.9.14 release notes post.

More information

• Release announcement post
• Full changelog: ClassicPress/ClassicPress@1.1.2+dev...1.1.3+dev

ClassicPress 1.1.2

ClassicPress 1.1.2 is a security release to match the security changes in WordPress versions 5.3.1 and 4.9.13 (both released on December 12, 2019).

It is available now - use the "Source code (zip)" file below.

Security fixes from ClassicPress 1.1.1

• Props to Daniel Bachhuber for finding an issue where an unprivileged user could make a post sticky via the REST API.
• Props to Simon Scannell of RIPS Technologies for finding and disclosing an issue where cross-site scripting (XSS) could be stored in well-crafted links.
• Props to the WordPress Security Team for hardening wp_kses_bad_protocol() to ensure that it is aware of the named colon attribute.

For more information about the security changes in this release, see the WordPress 4.9.13 release notes post.

More information

• Release announcement post
• Full changelog: ClassicPress/ClassicPress@1.1.1+dev...1.1.2+dev

ClassicPress 1.1.1

ClassicPress 1.1.1 is a security release to match the security changes in WordPress versions 5.2.4 and 4.9.12 (both released on October 14, 2019).

It is available now - use the "Source code (zip)" file below.

Security fixes from ClassicPress 1.1.0

• Props to Evan Ricafort for finding an issue where stored XSS (cross-site scripting) could be added via the Customizer.
• Props to J.D. Grimes who found and disclosed a method of viewing unauthenticated posts.
• Props to Weston Ruter for finding a way to create a stored XSS to inject Javascript into style tags.
• Props to David Newman for highlighting a method to poison the cache of JSON GET requests via the Vary: Origin header.
• Props to Eugene Kolodenker who found a server-side request forgery in the way that URLs are validated.
• Props to Ben Bidner of the WordPress Security Team who discovered issues related to referrer validation in the admin.

For more information about the security changes in this release, see the WordPress 5.2.4 release notes post.

Other changes from ClassicPress 1.1.0

This release contains two changes to the build process. These changes do not affect the functionality of the ClassicPress release:

• Improve the process for listing/building the emoji feature (details)
• Keep build dependencies up to date (details)

More information

• Release announcement post
• Full changelog: ClassicPress/ClassicPress@1.1.0+dev...1.1.1+dev

ClassicPress 1.1.0

We're happy to announce the release of ClassicPress 1.1.0, available now. This release contains a new feature that we think the community will be happy with, as well as several months' worth of smaller changes and bugfixes.

Use the "Source code (zip)" file below.

New feature since 1.0.2

Add a new top-level Security page to the admin screen. This is a centralized place for plugins to register their security-related settings, to make them easier to find and audit. (details, documentation, petition)

Minor changes and fixes since 1.0.2

• Update the list of files to remove during installation. This ensures that no extra files are left over after migration from WordPress. (details)
• Update the jQuery version string after the security patch applied in ClassicPress 1.0.2. (details)
• Add ClassicPress changelog links to the dashboard's About page. (details)
• Fix potentially overlapping notices in the Themes section of the dashboard. (details)
• Fix potential upload failures of common text file types. (details)
• Fix an issue with published post dates when using the XML-RPC API, for example with external editors. (details)
• Fix a PHP notice in the dashboard petitions widget. (details)
• Fix a "Source map" browser warning related to a TinyMCE file. (details)
• Remove unnecessary role="navigation" attribute from pagination elements. This is an improvement to HTML5 validation. (details)
• Remove angle brackets from link in password reset email. This caused problems with some email clients. (details)
• Update links to support/documentation pages in wp-config-sample.php. (details)
• Include latest emoji code from WP. It will be possible to disable this feature in ClassicPress v2, but for now we've needed to keep it up to date to keep our builds passing. (details)

Development improvements and fixes since 1.0.2

• Provide a set of contribution guidelines for the core project. (details)
• Update/improve the ClassicPress project's readme on GitHub. (details)
• Keep build dependencies up to date. (details)
• Modernize the build scripts and the browserslist configuration. (details)
• Add initial automated tests for wp-login.php. (details)
• Miscellaneous other improvements to the build and automated tests. (details 1, details 2, details 3)

More information

• Release announcement post
• Full changelog: ClassicPress/ClassicPress@1.0.2+dev...1.1.0+dev

ClassicPress 1.1.0-rc1

We're happy to announce the first release candidate for ClassicPress 1.1.0. This release contains two new features that we think the community will be happy with, as well as several months' worth of smaller bugfixes. We're happy with these changes but they need more testing by the community before a full release including automatic updates.

Use the "Source code (zip)" file below.

New features since 1.0.2

• Add an option to show the site's custom logo on the login page instead of the ClassicPress logo. This is disabled by default, but it is a common way for sites to customize their own public-facing branding, and now changing this image doesn't require any plugins. (details)
• Add a new top-level Security page to the admin screen. This is a centralized place for plugins to register their security-related settings, to make them easier to find and audit. (details, documentation)

Minor changes and fixes since 1.0.2

• Update the list of files to remove during installation. This ensures that no extra files are left over after migration from WordPress. (details)
• Update the jQuery version string after the security patch applied in ClassicPress 1.0.2. (details)
• Add ClassicPress changelog links to the dashboard's About page. (details)
• Fix potentially overlapping notices in the Themes section of the dashboard. (details)
• Fix potential upload failures of common text file types. (details)
• Fix an issue with published post dates when using the XML-RPC API, for example with external editors. (details)
• Fix a PHP notice in the dashboard petitions widget. (details)
• Fix a "Source map" browser warning related to a TinyMCE file. (details)
• Remove unnecessary role="navigation" attribute from pagination elements. This is an improvement to HTML5 validation. (details)
• Remove angle brackets from link in password reset email. This caused problems with some email clients. (details)
• Update links to support/documentation pages in wp-config-sample.php. (details)
• Include latest emoji code from WP. It will be possible to disable this feature in ClassicPress v2, but for now we've needed to keep it up to date to keep our builds passing. (details)

Development improvements and fixes since 1.0.2

• Provide a set of contribution guidelines for the core project. (details)
• Update/improve the ClassicPress project's readme on GitHub. (details)
• Keep build dependencies up to date. (details)
• Modernize the build scripts and the browserslist configuration. (details)
• Add initial automated tests for wp-login.php. (details)
• Miscellaneous other improvements to the build and automated tests. (details 1, details 2, details 3)

More information

• Release announcement post
• Full changelog: ClassicPress/ClassicPress@1.0.2+dev...1.1.0-rc1+dev

ClassicPress 1.0.2

ClassicPress 1.0.2 is a security release to match the security changes in WordPress versions 5.2.3 and 4.9.11 (both released yesterday). It is available now - use the "Source code (zip)" file below.

Security fixes from 1.0.1

• Props to Simon Scannell of RIPS Technologies for finding and disclosing two issues. The first, a cross-site scripting (XSS) vulnerability found in post previews by contributors. The second was a cross-site scripting vulnerability in stored comments.
• Props to Tim Coen for disclosing an issue where validation and sanitization of a URL could lead to an open redirect.
• Props to Anshul Jain for disclosing reflected cross-site scripting during media uploads.
• Props to Zhouyuan Yang of Fortinet’s FortiGuard Labs who disclosed a vulnerability for cross-site scripting (XSS) in shortcode previews.
• Props to Ian Dunn of the Core Security Team for finding and disclosing a case where reflected cross-site scripting could be found in the dashboard.
• Props to Soroush Dalili (@irsdl) from NCC Group for disclosing an issue with URL sanitization that can lead to cross-site scripting (XSS) attacks.
• In addition to the above changes, we are also updating jQuery on older versions of WordPress. This change was added in 5.2.1 and is now being brought to older versions.

For more information about the security changes in this release, see the WordPress 5.2.3 release notes post.

More information

• Release announcement post
• Full changelog: ClassicPress/ClassicPress@1.0.1+dev...1.0.2+dev