The plugin does not escape the Description field in the Trip Destination/Activities/Trip Type and Pricing Category pages, allowing users with a role as low as editor to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disallowed
As an editor or admin, add or edit a Trip Destination/Activity/Type or Pricing Category (wp-admin/edit.php?post_type=trip) and put the following payload in the Description field: <img src onerror=alert(/XSS/)>
The XSS will be triggered in the List of Pricing Categories or Trips etc