CVE-2025-24841 MEDIUM

CVE-2025-24841

Vendor Six Apart Ltd.
Product Movable Type (8.4.x series)
Weakness CWE-79 · XSS
Published February 19, 2025
Last update February 19, 2025
View on NVD All CVEs

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Movable Type contains a stored cross-site scripting vulnerability in the HTML edit mode of MT Block Editor. It is exploitable when TinyMCE6 is used as a rich text editor and an arbitrary script may be executed on a logged-in user's web browser.

Key dates

02Disclosure timeline

February 19, 2025 CVE published
February 19, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-50350 LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/app/Http/Controllers/Table/EditPortsController.php CVE-2025-22679 WordPress Job Board Manager Plugin <= 2.1.61 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2021-25001 Booster for WooCommerce < 5.4.9 - Reflected Cross-Site Scripting in Product XML Feeds Module CVE-2025-47501 WordPress Content Control plugin <= 2.6.1 - Cross Site Scripting (XSS) Vulnerability CVE-2025-32651 WordPress SERPed.net Plugin <= 4.6 - Reflected Cross Site Scripting (XSS) vulnerability