It's been a long time since MODX 2.7.1 in February this year. Today MODX 2.7.2 has been made available, bringing useful stability and security improvements.

First-off, the security-related fixes:

  • A security update for PHPMailer has been included
  • The setup will now be locked when it has been executed, avoiding your site from getting taken over if you (despite the warnings) leave the setup directory in place.
  • Several XSS vulnerabilities in the manager have been corrected, including in the contexts grid and trash manager
  • The extension checks in the file upload handling now apply to extracting zip files
  • The default RSS feeds on the homepage are now loaded over HTTPS instead of HTTP
  • Prevent users without edit_locked permission from editing locked elements

2.7.2 also includes PHP/MySQL compatibility fixes:

  • Escape usage of the field name "rank", which is a newly reserved word in MySQL 8.0.2
  • Deprecated calls to create_function() (in modProcessor and modConnectorResponse) and each() (in lang.js.php processor) have been fixed
  • Fix notices related to IMG_WEBP constant, following introduction of webp support in 2.7.1, in PHP versions that don't announce webp support
  • Restored PHP 5.3 compatibility that was accidentally removed in 2.7.0 (but really, you should be using at least PHP 7.2 by now)

Finally, other miscellaneous fixes to give you a more stable experience:

  • Descriptions for system settings can now contain a limited, safe, subset of html
  • Allow empty captions when duplicating template variables
  • Prevent JS errors in edge cases when the modx-content is not yet available
  • Nested items in the manager menu now show the "there's a submenu here" indicator
  • Improve value checking for the url_scheme setting when set to -1
  • Fix automatically publishing resources a second too late
  • Fix pngs losing transparency in template variables
  • Add default scroll styles in webkit based browsers
  • "Manager Actions" is now "Manager Log"
  • phpThumb updated so images with transparency don't get a black background when converted to a different version
  • Fix file type check in media sources disregarding the upload_images setting
  • Fix thumbnail rendering for files with a space in the URL
  • Fix message shown to users when they login after their account was blocked by too many incorrect login attempts
  • Use proper icon when setting descending sort order on a grid
  • Don't execute the upgrade script for the last installed version twice
  • Fix friendly_alias_realtime setting not being properly reflected
  • The value "0" is now considered not empty in the modRestController

All-in-all, this is a very welcome stability release.

Read the official announcement and download 2.7.2 from to upgrade your site manually.

If you'd rather sit back with some coffee (or other beverage of your choice) while all your sites are remotely upgraded for you, why not try SiteDash's remote MODX upgrades? SiteDash is free to try for a month, and your upgrades only take 30-60 seconds each.