Hosting ClassicPress

1.1.4
 (Sicherheitsupdate)
21 Juni - 55MBClassicPress 1.1.4 is a security release to match the security changes in WordPress versions 5.4.2 and 4.9.15 (both released on June 10, 2020).



Security

fixed an XSS issue where authenticated users with upload permissions are able to add JavaScript to media files

fixed an open redirect issue in wp_validate_redirect()

fixed an authenticated XSS issue via theme uploads

fixed an issue where set-screen-option can be misused by plugins leading to privilege escalation

Lesen Sie mehr: https://forums.classicpress.net/t/classicpress-1-1-4-release-notes/2371






1.1.3
 (Sicherheitsupdate)
7 Mai - 55MB1.1.3



ClassicPress 1.1.3 is a security release to match the security changes in WordPress versions 5.4.1 and 4.9.14 (both released on April 29, 2020).



If your ClassicPress site has automatic updates enabled (the default configuration), then the new version will be installed automatically. Otherwise, we strongly recommend applying this update from your site’s dashboard as soon as possible.



Security

fixed an issue where password reset tokens were not properly invalidated

fixed an issue where certain private posts can be viewed unauthenticated

fixed an XSS issue in the Customizer

fixed an XSS issue in wp-object-cache

fixed an XSS issue in file uploads.



1.1.2



ClassicPress 1.1.2 is a security release to match the security changes in WordPress versions 5.3.1 and 4.9.13 (both released on December 12, 2019).



Security

fixed an issue where an unprivileged user could make a post sticky via the REST API.

fixed an issue where cross-site scripting (XSS) could be stored in well-crafted links.

hardened wp_kses_bad_protocol() to ensure that it is aware of the named colon attribute.

Lesen Sie mehr: https://forums.classicpress.net/t/classicpress-1-1-3-release-notes/2301






1.1.1
 (Hauptversion)
16 November 2019 - 55MBClassicPress 1.1.1 is a security release to match the security changes in WordPress versions 5.2.4 and 4.9.12 (both released on October 14, 2019).



Security fixes from ClassicPress 1.1.0

Props to Evan Ricafort for finding an issue where stored XSS (cross-site scripting) could be added via the Customizer.

Props to J.D. Grimes who found and disclosed a method of viewing unauthenticated posts.

Props to Weston Ruter for finding a way to create a stored XSS to inject Javascript into style tags.

Props to David Newman for highlighting a method to poison the cache of JSON GET requests via the Vary: Origin header.

Props to Eugene Kolodenker who found a server-side request forgery in the way that URLs are validated.

Props to Ben Bidner of the WordPress Security Team who discovered issues related to referrer validation in the admin.



For more information about the security changes in this release, see the WordPress 5.2.4 release notes post.



Other changes from ClassicPress 1.1.0



This release contains two changes to the build process. These changes do not affect the functionality of the ClassicPress release:

Improve the process for listing/building the emoji feature (details)

Keep build dependencies up to date (details)