Release 4.25.2

changelog.txt

@@ -1,5 +1,24 @@
 *** Changelog ***
 
+## 4.25.2 - 2025-12-16
+### Security
+- Fix XSS vulnerability in the Contact Teacher block
+
+### Removed
+- Remove "new" badge from Appearance settings tab [#7874](https://github.com/Automattic/sensei/pull/7874)
+
+### Fixed
+- Allow multiple choice quiz questions with no wrong answers [#7872](https://github.com/Automattic/sensei/pull/7872)
+- Fix Course List pattern not working with newest Gutenberg [#7876](https://github.com/Automattic/sensei/pull/7876)
+- Fix error when activating MailPoet [#7864](https://github.com/Automattic/sensei/pull/7864)
+- Fix lesson comments being visible to unregistered users in some cases [#7848](https://github.com/Automattic/sensei/pull/7848)
+- Fix reports screen times out on larger sites [#7859](https://github.com/Automattic/sensei/pull/7859)
+- Fix the course structure API exposing the lesson AI generated bootstrap text [#7869](https://github.com/Automattic/sensei/pull/7869)
+- Prevent duplicate queries from happening on every block render [#7860](https://github.com/Automattic/sensei/pull/7860)
+
+### Development
+- Add CLI command for recalculating course enrolment [#7877](https://github.com/Automattic/sensei/pull/7877)
+
 ## 4.25.1 - 2025-09-18
 ### Security
 - Add authorization check when updating the lesson course relation

includes/blocks/class-sensei-block-contact-teacher.php

@@ -131,11 +131,20 @@ private function teacher_contact_form( $post ) {
 	 * @return string Block HTML with additional href attribute.
 	 */
 	private function add_button_attributes( $content, $href ) {
-		return preg_replace(
-			'/<a(.*)class="(.*)"(.*)>(.+)<\/a>/',
-			'<a href="' . esc_url( $href ) . '#private_message" class="sensei-contact-teacher-open $2" data-sensei-modal-open $1 $3>$4</a>',
-			$content,
-			1
+		return wp_kses(
+			preg_replace(
+				'/<a(.*)class="(.*)"(.*)>(.+)<\/a>/',
+				'<a href="' . esc_url( $href ) . '#private_message" class="sensei-contact-teacher-open $2" data-sensei-modal-open $1 $3>$4</a>',
+				$content,
+				1
+			),
+			[
+				'a' => [
+					'href'                   => [],
+					'class'                  => [],
+					'data-sensei-modal-open' => [],
+				],
+			]
 		);
 	}
 }

includes/class-sensei.php

@@ -852,7 +852,7 @@ public function initialize_global_objects() {
 	/**
 	 * Initialize MailPoet integration.
 	 *
-	 * @since $$next-version$$
+	 * @since 4.25.2
 	 */
 	public function initialize_mailpoet() {
 		if ( class_exists( \MailPoet\API\API::class ) ) {

includes/cli/class-sensei-enrolment-course-calculation-command.php

@@ -12,7 +12,7 @@
 /**
  * WP-CLI command that runs the course enrolment calculation job.
  *
- * @since $$next-version$$
+ * @since 4.25.2
  */
 class Sensei_Enrolment_Course_Calculation_Command {
 

includes/unsupported-theme-handlers/class-sensei-unsupported-theme-handler-cpt.php

@@ -254,7 +254,7 @@ private function is_lesson_cpt_in_block_fse_theme() {
 	 * Comments are only shown for lessons in block themes if the user can view
 	 * the lesson.
 	 *
-	 * @since $$next-version$$
+	 * @since 4.25.2
 	 *
 	 * @return bool
 	 */