CVE-2025-25054

Vulnerability

CVE-2025-25054 is a reflected cross-site scripting (XSS) vulnerability in the user information edit page of Movable Type, affecting versions 8.4.1 and earlier, 8.0.5 and earlier, and Premium/Cloud editions up to 2.06 and 8.4.1 respectively [1]. The root cause is improper sanitization of user-supplied input on the user edit page, specifically active when the Multi-Factor authentication plugin for Sign-in is enabled [1].

Attack

Vector

An attacker can craft a malicious URL or page that, when accessed by a logged-in Movable Type user, reflects the malicious script in the user information edit page context [1]. No authentication is required to deliver the crafted page, but the victim must be authenticated to the Movable Type instance for the script to execute [1]. The attack requires user interaction (clicking the crafted link or visiting the page) [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser within the security context of the Movable Type application [1]. This can lead to session hijacking, defacement, or theft of sensitive information displayed on the page. The CVSS v3 base score is 6.1 (Medium) with network attack vector, low complexity, and no privileges required [1].

Mitigation

Six Apart has released Movable Type 8.4.2, 8.0.6, and version 7 r.5507 (v7.906.2) which fix this vulnerability [2]. Users should upgrade to the latest versions. Note that Movable Type 8.0 and 7 have reached end of maintenance (EOM), but security support for 8.0.x continues until November 1, 2025 [2].