CiviCRM 5.20 Security Release (and 5.19.4, 5.13.8 ESR)

2019-12-04 13:38
Written by

CiviCRM version 5.20.0 is now out and ready to download.

Important Notice: This is a security release. We recommend you immediately upgrade to one of the following versions:

  • CiviCRM v5.20.0
  • CiviCRM v5.19.4
  • CiviCRM v5.13.8 ESR

Below are the security advisories details:

Bugs resolved in 5.19.4:

  • Event Search: Fix Name badge generation from Event Search (dev/core#1422: #15984)
  • Smart Groups: Fix smart groups that had stored form values for custom fields that are search by range that are not of type date (#15977)

Upgrade now for the most stable CiviCRM experience:

Note: If you use CiviCRM v5.13.7 ESR with the APIv4 extension ("org.civicrm.api4"), you should double-check that your system is running version 4.4.5. In v5.19+, no extra check is necessary. The APIv4 extension is now included in the main CiviCRM archives. If you had installed the extension separately, you can delete that copy of the extension.

Update your mailing preferences to receive security advisories by e-mail (including pre-announcements when possible). You can also view all security advisories.

What's new in CiviCRM 5.20

This version fixes security vulnerabilities, changes the database schema, has changes to the API, requires attention to configuration options, fixes problems when upgrading from a previous version, as well as the usual bugfixes and minor feature improvements.

  • Fixes the charts from the contribution dashboard (which were in Flash and therefore seemed broken for most users)
  • Workflow Templates: Many syntax simplifications, grammar improvements and removal of the infamous "Please print this page for your records.". Also, templates now use the "greeting" field instead of the previous "Dear [first name]", making it easier to change the salutations without editing the workflow templates.
  • Removal of the print icon from the upper left hand corner of all pages
  • The Advanced Search can now search in the description field of relationships
  • Payment Processors can now have an "internal name" and a separate public name (which can be useful for when you have two processor for credit cards, but still want to display "Credit Card" on forms)
  • CiviContribute APIs had a few improvements (Order API, notably). The 'transact' API is also now officially deprecated.
  • WordPress integration now uses the new CiviCRM installer, which greatly improves the CiviCRM installation process for WordPress sites by redirecting users to an install screen when the CiviCRM plugin is activated. Also gets us closer to listing CiviCRM on the WordPress plugin directory.
  • A few usability improvements in CiviCase, including improvements to the readability of custom fields. Also fixes the longstanding name vs label problems for case roles.

This is only a short overview. You can read the full release notes here. Big thanks to Andrew Hunt and Alice Frumin from AGH Strategies for putting up together release notes.

The complete list of 5.20.0 contributors (it's a huge team!) can be found here. Thanks to everyone for making this release happen!

Support CiviCRM

We are committed to keeping CiviCRM free and open, forever. We depend on your support to help make that happen.


Hi guys, is there a patch one could apply to 5.19.3 to fix the security issue?

Thanks bgm. Sorry, I just realized my question wasn't what I really wanted to ask. I understand there is a 5.19.4 version I can update to, but the problem is I have to go through the very time-consuming task of performing the whole update. What I am looking to do is to manually apply a code change that would resolve the security vulnerability. Is it possible to see what the fix is for the security vulnerability so I can change those lines of code that constitute the fix?