The vulnerability stems from insufficient output sanitization of the 'moodlenetprofile' user profile field. Moodle's architecture handles custom profile fields via specialized classes in user/profile/field/. The display_data() method in these classes is responsible for rendering field values. Since the advisory specifically mentions 'extra sanitizing' was added in the fix, it strongly implies the raw field value was being output without adequate escaping in this display method. This pattern matches Moodle's typical XSS vulnerability patterns where output escaping is missing in profile field rendering.