CVE-2025-22888

Summary

Movable Type contains a stored cross-site scripting vulnerability in the custom block edit page of MT Block Editor. If exploited, an arbitrary script may be executed on a logged-in user's web browser.

Affected Software

VendorProductVersion RangeStatus
Six Apart Ltd.Movable Type (8.4.x series)8.4.1 and earlieraffected
Six Apart Ltd.Movable Type (8.0.x series)8.0.5 and earlieraffected
Six Apart Ltd.Movable Type Advanced (8.4.x series)8.4.1 and earlieraffected
Six Apart Ltd.Movable Type Advanced (8.0.x series)8.0.5 and earlieraffected
Six Apart Ltd.Movable Type Premium (2.x series)2.06 and earlieraffected
Six Apart Ltd.Movable Type Premium (Advanced Edition) (2.x series)2.06 and earlieraffected
Six Apart Ltd.Movable Type Cloud Edition (8.x series)8.4.1 and earlieraffected
Six Apart Ltd.Movable Type Premium Cloud Edition (2.x series)2.06 and earlieraffected

Weaknesses

  • CWE-79: Cross-site scripting (XSS)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References