CVE-2020-5577
Description
Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier) allow remote authenticated attackers to upload arbitrary files and execute a php script via unspecified vectors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Movable Type series contains an unrestricted file upload vulnerability allowing authenticated remote attackers to execute arbitrary PHP code.
Vulnerability
Movable Type series (including Movable Type 7 r.4606 (7.2.1) and earlier, Movable Type Advanced 7 r.4606 (7.2.1) and earlier, Movable Type for AWS 7 r.4606 (7.2.1) and earlier, Movable Type 6.5.3 and earlier, Movable Type Advanced 6.5.3 and earlier, Movable Type 6.3.11 and earlier, Movable Type Advanced 6.3.11 and earlier, Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier) contains an unrestricted upload of files with specific extensions vulnerability (CWE-434) [1]. This allows remote authenticated attackers to upload arbitrary files and execute a PHP script via unspecified vectors [1].
Exploitation
An attacker must have valid authentication credentials to the Movable Type system. No additional user interaction is required. The attacker can upload a specially crafted PHP file to the server, which can then be executed remotely [1][2].
Impact
Successful exploitation allows the attacker to execute arbitrary PHP code on the server, leading to potential disclosure of sensitive information, modification of data, or denial of service. The CVSS v3 base score is 6.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L [1].
Mitigation
Six Apart released fixed versions: Movable Type 7 r.4607 (v7.3.0), Movable Type 6.6.0, and Movable Type 6.3.12 [2]. Users should upgrade to the latest versions. If upgrading is not possible, restrict file upload capabilities to trusted users only.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <=7.2.1
- Range: <=1.29
- Six Apart Ltd./Movable Typev5Range: Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- jvn.jp/en/jp/JVN28806943/index.htmlmitrex_refsource_MISC
- movabletype.org/news/2020/05/mt-730-660-6312-released.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.