CVE-2025-60168 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the HotelRunner Booking Widget, a tool widely used by hospitality businesses to facilitate online bookings. The vulnerability exists in versions up to and including 1.6. CSRF flaws allow attackers to trick authenticated users into submitting unwanted requests to a web application, potentially causing unauthorized actions. In this case, the CSRF vulnerability can be leveraged to inject stored Cross-Site Scripting (XSS) payloads, which persist on the affected system and execute malicious scripts in the context of users' browsers. The CVSS 3.1 base score of 7.1 indicates a high severity, with the vector showing network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact affects confidentiality, integrity, and availability at a low to moderate level. No known exploits have been reported in the wild yet, but the potential for abuse is significant given the widget’s role in processing booking data and user interactions. The vulnerability was published on October 22, 2025, with the initial reservation date on September 25, 2025. The lack of available patches at the time of reporting increases the urgency for mitigation measures. The HotelRunner Booking Widget is integrated into many hotel and travel websites, making it a valuable target for attackers aiming to compromise user data or disrupt booking services.

For European organizations, especially those in the hospitality and travel sectors, this vulnerability could lead to unauthorized manipulation of booking data, theft of personal information, session hijacking, and defacement or disruption of booking services. The stored XSS component could enable attackers to execute malicious scripts in the browsers of users visiting affected sites, potentially leading to credential theft, malware distribution, or further compromise of user accounts. This could damage customer trust, lead to regulatory penalties under GDPR due to data breaches, and cause financial losses from disrupted operations. Given the widget’s integration into booking platforms, the availability of services could be impacted, affecting revenue streams. The vulnerability’s exploitation does not require authentication but does require user interaction, which could be facilitated through phishing or malicious links. The cross-site nature of the attack means that even users with limited privileges could be targeted, broadening the scope of impact. European organizations with high volumes of online bookings are at increased risk of reputational damage and operational disruption.

Organizations should immediately monitor for updates or patches from the HotelRunner vendor and apply them as soon as they become available. In the interim, implementing anti-CSRF tokens in all forms and requests processed by the widget can help prevent unauthorized requests. Employing strict Content Security Policy (CSP) headers can mitigate the impact of stored XSS by restricting the execution of unauthorized scripts. Web Application Firewalls (WAFs) should be configured to detect and block suspicious CSRF and XSS payloads targeting the widget. Regular security audits and penetration testing focused on the booking platform can identify residual vulnerabilities. User education campaigns to recognize phishing attempts that could trigger CSRF attacks are also recommended. Additionally, isolating the booking widget in a sandboxed iframe with restrictive permissions can limit the potential damage from exploitation. Logging and monitoring for unusual booking activity or script injections will aid in early detection of exploitation attempts.