CVE-2025-60168 is a Cross-Site Request Forgery (CSRF) vulnerability found in the HotelRunner Booking Widget developed by integrationshotelrunner, affecting versions up to and including 1.6. The vulnerability allows attackers to trick authenticated users into executing unwanted actions without their consent by exploiting the lack of proper CSRF protections. This can lead to stored Cross-Site Scripting (XSS) attacks, where malicious scripts are permanently injected into the widget’s data, potentially affecting all users who access the compromised booking interface. The vulnerability has a CVSS 3.1 score of 7.1, indicating high severity, with an attack vector of network (remote exploitation), low attack complexity, no privileges required, but requiring user interaction. The scope is changed, meaning the attack can affect resources beyond the initially compromised component. The impact includes partial loss of confidentiality, integrity, and availability, as attackers can steal session tokens, manipulate booking data, or disrupt service availability. No patches or known exploits are currently documented, but the vulnerability is publicly disclosed and should be addressed promptly. The widget is commonly integrated into hotel and travel websites to facilitate online bookings, making it a critical component in the hospitality sector’s digital infrastructure.

For European organizations, especially those in the hospitality and travel sectors, this vulnerability poses significant risks. Exploitation could lead to unauthorized manipulation of booking data, theft of customer information, session hijacking, and defacement or disruption of booking services. Such impacts can damage customer trust, lead to regulatory non-compliance (e.g., GDPR breaches due to data exposure), and cause financial losses from disrupted operations or remediation costs. The stored XSS aspect increases the risk by allowing persistent malicious code that can affect multiple users over time. Given the widget’s integration in customer-facing platforms, the attack surface is broad, potentially affecting numerous hotels and travel agencies across Europe. The vulnerability could also be leveraged as a foothold for further attacks within organizational networks if attackers gain access through compromised user sessions.

1. Apply security patches from integrationshotelrunner as soon as they become available to address the CSRF vulnerability. 2. Implement robust anti-CSRF tokens in all state-changing requests within the booking widget to ensure requests originate from legitimate users. 3. Enforce strict input validation and output encoding to prevent stored XSS payloads from being injected or executed. 4. Conduct regular security audits and penetration testing focused on web application security, particularly on third-party integrations like booking widgets. 5. Monitor web server and application logs for unusual activities indicative of CSRF or XSS exploitation attempts. 6. Educate staff and users about phishing and social engineering risks that could facilitate CSRF attacks. 7. Consider deploying Web Application Firewalls (WAFs) with rules tailored to detect and block CSRF and XSS attack patterns. 8. Limit the widget’s permissions and isolate it within the web application architecture to reduce potential impact if compromised.