Not a developer? Go to


Movable Type 7 r.5401 (7.9.6) Release Notes

This version of Movable Type was released November 16, 2022.

Movable Type 7 r.5401 (7.9.6) Release Notes. This version includes security fixes.

Security issues

  • [MTC-28560] Fixed Cross Site Scripting (XSS) in Google Analytics plugin (CVE-2022-45122)
  • [MTC-28559] Fixed Open Redirect issue on the password reset page (CVE-2022-45113)
  • [MTC-27183] Fixed arbitrary Perl code to be executed via the name value of ContentField (CVE-2022-43660)

New and Improved features

  • [MTC-28430] New TinyMCE 6 / FormattedTextForTinyMCE6 Plugins, which includes TinyMCE 6.2.0. The plugins are enabled by default on new installations.
  • [MTC-28594] Added Configuration Directive DBIShowErrorStatement to display the SQL statement when a query fails to execute in the database; if DebugMode is enabled and set to 1, it will appear at the end of the error message
  • [MTC-28593] Updated js-cookie to v3.0.1
  • [MTC-28581] Themes with missing system templates are now automatically added when initializing, reapplying, modifying, or upgrading Movable Type
  • [MTC-28572] The structure of DataAPI modules has been changed. v1 modules have been moved under the v1 directory. In future versions, the v1 modules directly under MT::DataAPI::resource will be deprecated
  • [MTC-28554] Due to the end of Internet Explorer support, we have stopped using the svg4everybody polyfill. You can temporarily continue to use it by setting the new UseSVGForEverybody Configuration Directive to 1, but we plan to include and remove this Configuration Directive in a future version
  • [MTC-28537] Updated jQuery Validation Plugin to 1.19.5
  • [MTC-28535] We have stopped using jquery.json.js and replaced it with JSON.stringify. You can continue to use it by setting the new UseJQueryJSON Configuration Directive to 1, but we plan to remove this and other environment variables in a future version
  • [MTC-28532] Added Configuration Directive WaitAfterReboot that allows you to set the number of seconds to wait for a response when MT::App::do_reboot is executed, to prevent accessing a worker process before it has been rebooted in a PSGI environment by setting the appropriate wait
  • [MTC-28503] Rebuild trigger no longer causes unnecessary rebuilds when saving
  • [MTC-28440] Added Data API v5 endpoint
    • [MTC-28510] Added GET /textFilters endpoint
    • [MTC-28571] Added assets and categories as updatable_fields on MT::DataAPI::Resource::v5::Entry
    • [MTC-26197] Renamed notextfilter to noTextFilters from on listEntries
    • [MTC-26273] Renamed contenttypecount to contentTypeCount on CategorySet resource
    • [MTC-27955] Text formatting is now applied to “text (multiple lines)” field when retrieving Content Data
      • [MTC-26477] Text formating can now be specified when updating “Text (multiple lines) fields” in content data
    • [MTC-28333] The default values for the number, sort order, and target field of the output results when retrieving a category set are now set to 25, ascending order, and name
    • [MTC-28311] Fixed definition of data type of return value that was erroneously set to string to integer
  • [MTC-28429] eatures that will be deprecated in future versions are now disabled on new installations
    • Trackback Plugin
    • OpenID Plugin
    • FacebookCommenters Plugin
    • spamlookup Plugin
    • Textile Plugin
    • WidgetManager Plugin
    • Atom API
    • Activity Feeds
    • Free-text search
    • Quickpost
    • Update ping
    • Language support
      • The language used in the site’s general settings and the language used in the user information will be Japanese and English only. However, if you set a different language for new installations, or if you set a different DefaultLanguage in mt-config.cgi, the language specified there will also be retained. The language choices for new installations will include languages other than English and Japanese
  • [MTC-28334] Updated ADOdb to 5.22.2
  • [MTC-28189] Supported PHP up to 8.1
    • [MTC-28299] Updated Smarty to 4.2.0
      • [MTC-28300] SmartyBC is no longer in use
  • [MTC-28141] When authorization errors or other errors occur on the admin screen, JSON errors are now returned instead of redirecting if JSON is expected to be returned
  • [MTC-28065] Improved the performance of Replacement on “Search and Replace”
  • [MTC-27761] Content Field IDs are now displayed on the Content Type page
  • [MTC-27435] Added Configuration Directive DefaultListLimit to specify the number of items to be displayed per page when a new user visits the list of Entries/Pages for the first time
  • [MTC-26535] Added Configuration Directive MaxFavoriteSites, which allows you to set the number of sites displayed in the left sidebar of the admin screen
  • [SUPPORT-175] When “Link to original image” is selected in the “Link from image” option when inserting an image, “Display on same screen” is now the default
  • [SUPPORT-174] When “Link to original image” is selected for the “Link from image” option when inserting an image, “Show in popup” cannot be selected if the “Popup image” template does not exist or is empty
  • [SUPPORT-135] Added Content Type Archives to “Publish category archives even if they do not contain articles” under [Settings] - [General] for sites and child sites, and adjusted the wording

AMI Edition (via AWS Marketplace)

  • [SUPPORT-185] When updating with the yum command, any changes to /etc/php.ini, /etc/php-fpm.ini, and /etc/my.cnf are not overwritten. The latest configuration file exists in /app/initial/etc
  • [CLOUD-216] Fixed a problem that prevented starman logs from being written after logrotate

Resolved issues

  • [MTC-28542] We have stopped using ontouchstart to eliminate useless warnings on mt.cgi
  • [MTC-28531] Stopped using jQuery.isArray and replaced it with Array.isArray
  • [MTC-26294] Fixed the site name in the HTML title of the site dashboard so that it is not duplicated
  • [MTC-28548] Fixed an issue that could cause a Use of uninitialized value warning when replacing content data
  • [MTC-28539] Fixed a problem with Data API that caused a Use of uninitialized value warning when requesting a range of data that does not exist
  • [MTC-28566] Fixed an issue with Rebuild Trigger of content type where the publish trigger originated from a save event
  • [MTC-28557] Fixed an issue where the filter name in the dialog was undefined when deleting a filter from the filter list in the listing framework
  • [MTC-28549] Fixed problem where cache thumbnail files generated under assets_c directory were not deleted when deleting image items
  • [MTC-28545] Fixed escaping of Content Field names in filter condition specification.
  • [MTC-28541] Fixed an issue where an error would appear when changing to another tab after searching a range of content types in the “Date and Time” field in the ” Tool - Search and Replace” section of mt.cgi
  • [MTC-28530] Fixed an error in the product name included in the warning message displayed in the plugin list when DebugMode is enabled in the presence of a plugin that is not optimized
  • [MTC-28515] Fixed duplicate definition of $dbd_class in MT::ObjectDriverFactory
  • [MTC-13233] Fixed uploading items on mt.cgi to not upload to directories other than under SitePath
  • [MTC-8706] Stopped using js/common/JSON.js, and did not load it on the admin page. For compatibility, Configuration Directive UseMTCommonJSON has been added so that js/common/JSON.js is loaded when set to 1. We plan to remove this Configuration Directive in a future version
  • [SUPPORT-170] Fixed an issue in the escaping of data identification labels for Content Data in the listing framework listing page

Movable Type Advanced

  • [SUPPORT-184] Fixed an error that occurred when upgrading from Movable Type r.5004 when using SQL Server


We would like to thank all those who have reported bugs and requested features for the release. In particular, we would like to thank the following people individually.

  • [MTC-28549] Makoto Tajima of M-Logic, Inc.
  • [MTC-28559], [MTC-28560] SHIGA TAKUMA of BroadBand Security, Inc., IPA and JPCERT/CC for their cooperation in handling the vulnerability information