I used to work for a Moodle host that also did custom plugin development.
The Moodle code base dates back to somewhere around 2000 ish, and comes with the baggage of the early days of PHP. The Moodle code is full of "no guard rails" style functions, where you do things like write strings directly out as HTML and write direct SQL queries. Couple this with the 'plugin hub' not really have any acceptance criteria, and you get hundreds (thousands?) of security vulnerabilities.
I think there's been a push to modernize things in the few years since I left, but it's hard to update a codebase that old.
The Moodle code base dates back to somewhere around 2000 ish, and comes with the baggage of the early days of PHP. The Moodle code is full of "no guard rails" style functions, where you do things like write strings directly out as HTML and write direct SQL queries. Couple this with the 'plugin hub' not really have any acceptance criteria, and you get hundreds (thousands?) of security vulnerabilities.
I think there's been a push to modernize things in the few years since I left, but it's hard to update a codebase that old.