The vulnerability identified as CVE-2025-60168 affects the HotelRunner Booking Widget, a tool used by hotels to facilitate online bookings. The issue is a Cross-Site Request Forgery (CSRF) vulnerability that allows an attacker to perform unauthorized actions on behalf of authenticated users. Specifically, the CSRF flaw can be leveraged to inject stored Cross-Site Scripting (XSS) payloads, which persist within the application and execute in the context of users' browsers. This combination of CSRF and stored XSS is particularly dangerous because it can lead to session hijacking, credential theft, or unauthorized manipulation of booking data. The affected versions include all versions up to and including 1.6, with no patch currently available. The vulnerability was reserved in late September 2025 and published in October 2025, with no CVSS score assigned yet. Exploitation does not require user interaction beyond the victim being authenticated and visiting a malicious page, making it relatively easy to exploit in targeted attacks. The lack of known exploits in the wild suggests it is either newly discovered or under limited attack, but the risk remains significant due to the nature of the vulnerability and the sensitive context of booking systems.

For European organizations, especially those in the hospitality and tourism sectors, this vulnerability could lead to unauthorized booking modifications, theft of customer data, and compromise of user sessions. Stored XSS can facilitate persistent attacks on users, potentially leading to widespread credential theft or malware distribution. The reputational damage from such breaches could be severe, impacting customer trust and regulatory compliance under GDPR. Additionally, attackers could manipulate booking data, causing financial losses or operational disruptions. Since the HotelRunner Booking Widget is integrated into many hotel websites, the attack surface is broad. The impact extends beyond individual hotels to the broader tourism ecosystem, affecting travel agencies and booking platforms that rely on this widget. The vulnerability could also be exploited to conduct phishing or social engineering campaigns targeting European customers familiar with these booking systems.

Immediate mitigation steps include implementing anti-CSRF tokens in all forms and state-changing requests within the widget to prevent unauthorized actions. Input validation and output encoding should be enforced to mitigate stored XSS risks. Organizations should monitor for unusual booking activity and review logs for signs of exploitation attempts. Until an official patch is released, consider isolating or disabling the widget if feasible, or deploying Web Application Firewalls (WAFs) with rules targeting CSRF and XSS attack patterns. Educate staff and users about phishing risks associated with this vulnerability. Regularly update and audit third-party components and maintain a robust incident response plan. Engage with the vendor to obtain patches or updates and apply them promptly once available. Conduct penetration testing focused on CSRF and XSS vectors to identify residual risks.