CVE-2025-48883 MEDIUM

CVE-2025-48883: Chrome PHP is missing encoding in `CssSelector`

Vendor Chrome-Php
Product chrome
Weakness CWE-79 · XSS
Published May 30, 2025
Last update May 30, 2025
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Chrome PHP allows users to start playing with chrome/chromium in headless mode from PHP. Prior to version 1.14.0, CSS Selector expressions are not properly encoded, which can lead to XSS (cross-site scripting) vulnerabilities. This is patched in v1.14.0. As a workaround, users can apply encoding manually to their selectors if they are unable to upgrade.

Key dates

02Disclosure timeline

May 30, 2025 CVE published
May 30, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-3412 Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite <= 1.0.0 - Missing Authorization to Stored Cross-Site Scripting CVE-2025-67555 WordPress UseStrict's Calendly Embedder plugin <= 1.1.7.2 - Cross Site Scripting (XSS) vulnerability CVE-2025-53460 WordPress AffiliateWP – External Referral Links Plugin <= 1.2.0 - Cross Site Scripting (XSS) Vulnerability CVE-2023-7108 code-projects E-Commerce Website user_signup.php cross site scripting CVE-2024-54275 WordPress CSV to html plugin <= 3.08 - Reflected Cross Site Scripting (XSS) vulnerability