Reflected Cross-Site Scripting Vulnerability in Movable Type
CVE-2025-25054

6.1MEDIUM

Key Information:

Vendor: Six Apart Ltd.
Status: Movable Type (8.4.x Series); Movable Type (8.0.x Series); Movable Type Advanced (8.4.x Series); Movable Type Advanced (8.0.x Series)
Vendor: CVE Published:; 19 February 2025

Summary

Movable Type is susceptible to a reflected cross-site scripting vulnerability affecting the user information edit page. When the Multi-Factor Authentication plugin is enabled, an attacker can craft a malicious page. If a logged-in user accesses this page, it could lead to the execution of arbitrary scripts in the user’s web browser, potentially compromising their session and personal data.

Affected Version(s)

Movable Type (8.0.x series) 8.0.5 and earlier

Movable Type (8.4.x series) 8.4.1 and earlier

Movable Type Advanced (8.0.x series) 8.0.5 and earlier

References

https://www.movabletype.org/news/2025/02/mt-842-released....

https://jvn.jp/en/jp/JVN48742353/

CVSS V3.0

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 19, 2025
Vulnerability Reserved
Feb 3, 2025