Movable Type 8.8.0 Release Notes
This version of Movable Type was released October 22, 2025.
New and improved features
- Added support for PHP 8.4 (MTC-29927)
- Added an input field in the installation wizard to specify the
DBIConnectOptionsconfiguration directive for database connection settings. This allows setting additional connection options, such as when using TLS with MySQL (MTC-29999) - Added an
IDoption to the display settings in list screens such as User, Asset, and ContentData, allowing items to be filtered by ID (MTC-30044) - Updated the License Check plugin to automatically renew the license expiration date (MTC-30046)
- Added the configuration directive
DisableContentFieldPermissionto disable field-level permission settings for ContentType.
When this directive is enabled (set to1), the ContentField permission settings are hidden in the Role editing screen, and the display of the Admin screen related to ContentType becomes faster (MTC-30056) - Updated some of the bundled Perl modules (
extlib) (MTC-30596)
CGI(4.66 → 4.69)Class::Data::Inheritable(0.09 → 0.10)Crypt::URandom(0.40 → 0.54)Hash::Merge::Simple(0.051 → 0.052)Image::ExifTool(12.76 → 13.30)LWP::Protocol::http(6.77 → 6.78)LWP::UserAgent(6.77 → 6.78)Mail::Address(2.21 → 2.22)Math::BigInt(2.003003 → 2.005003)MIME::Types(2.26 → 2.28)Net::OAuth(0.28 → 0.31)parent(0.242 → 0.244)Text::CSV(2.04 → 2.06)TheSchwartz(1.17 → 1.18)URI(5.29 → 5.32)YAML::Tiny(1.74 → 1.76)
- Updated the bundled
MFAplugin from 1.0.5 to 1.1.0 and theMFA-TOTPplugin from 1.1.0 to 1.2.0 (MTC-30707)
- Added a setting to require multi-factor authentication.
When enabled in System Settings, users who have not configured multi-factor authentication are restricted from operating the Admin screen until it is activated (MTC-30613)
- Added a setting to require multi-factor authentication.
- Improved the update notification widget on the dashboard to display more detailed version information and whether security updates are available (MTC-30671)
- Bundled the Perl module
Module::Loadinextlib(MTC-30708)
MTBlockEditor Plugin
- Made it possible to customize the number of columns available in the multi-column block of the MTBlockEditor plugin using JavaScript(MTC-29916)
- Enabled customization of the buttons displayed in the toolbar of the text block and table block of the MTBlockEditor plugin through JavaScript (MTC-30726)
MTRichTextEditor Plugin
- Bundled the
MTRichTextEditorplugin (MTC-30702)
Resolved issues
- Fixed an issue where specifying a subdomain wildcard in the
TrustedHostsconfiguration directive unintentionally matched IP addresses (MTC-30564) - Added a note under the
Usernamefield on the user creation screen that says “This will be used to sign in to the admin screen.” (SUPPORT-614) - Fixed an issue where themes without a
classelement intheme.yamlcould not be selected when creating a site or changing a site theme (MTC-29597) - Fixed an issue where themes with an invalid
classvalue (anything other thanwebsiteorblog) intheme.yamlcould still be applied (MTC-29598) - Fixed an issue where themes without a
classelement intheme.yamlwere not displayed in the theme list screen (MTC-29599) - Fixed an issue where, when the
UseRiotconfiguration directive was set to0, adding multiple date filters such as “Created On” in the Svelte-based Site List screen caused the display to break (MTC-30403) - Fixed an issue in the site list within the permission settings dialog where not all sites were displayed and the layout was broken. Added a new configuration directive
GrantRoleSitesView, allowing users to switch between list and tree views. The default setting is tree (MTC-30431) - Fixed an issue where
default_templatesadded by plugins were only created in child sites during upgrades and not in parent sites (MTC-30463) - Fixed an issue where thumbnails were not displayed when uploading images in the Block Editor (MTC-30549)
- Fixed an issue where, when an unsupported language was specified for the
languagemodifier inMTDateor other date/time-related tags, the output now falls back to the default language setting’s date/time format (MTC-30599) - Fixed an issue in the installation wizard where the selected language was not properly applied (MTC-30621)
- Fixed an issue where the Data API’s OpenAPI (Swagger) schema validation failed when the
Commentsplugin was enabled (MTC-30629) - Fixed an issue in the entry and web page editing screens where the selected format was not properly applied when the window width was 992px or less (MTC-30634)
- Removed the information about discontinued European languages from
index.html(the Movable Type top page) (MTC-30641) - Fixed the breadcrumb navigation on the license confirmation page (MTC-30679)
- Restricted the available paths for use in the
Data API(MTC-30313)
Dynamic Publishing
- Fixed an issue in dynamic publishing where specifying the date format
%ain theMTDatetag’sformatmodifier did not display the correct day of the week (MTC-30553) - Fixed an issue in Dynamic Publishing where the initial value of the
AllowTestModifierconfiguration directive was not set (MTC-30563)
MFA Plugin
- Fixed an issue where a JavaScript error occurred on the new user creation screen when the
MFAplugin was enabled (MTC-30177)
MTBlockEditor Plugin
- Fixed an issue where copying and pasting text within a text block in the
MTBlockEditorplugin unintentionally pasted the content as a new block (MTC-30452)
MTRichTextEditor Plugin
- Fixed an issue in the
MTRichTextEditorplugin where the “Insert Formatted Text” button did not appear in the toolbar by default, even when theFormattedTextForMTRichTextEditorplugin was enabled (MTC-30383)
AMI Edition
- Fixed an issue where the installation wizard did not operate properly (MTC-29721)
Security fixes and improvements
- Fixed a cross-site scripting (XSS) vulnerability in Edit ContentData page on mt.cgi (CVE-2025-54856, MTC-30710)
- Fixed a cross-site scripting (XSS) vulnerability in Edit CategorySet of ContentType page on mt.cgi (CVE-2025-62499, MTC-30711)
Deprecated Features
- Deprecated
MT::Util::is_valid_ip(MTC-30597)
