Moodle is vulnerable to 2nd order sqli by users with Teacher or higher privileges. The reason these privileges are required is because the sqli is in the badge management functionality. When one has the Teacher role for a course it is possible to add a badge which students can earn after meeting certain criteria.
