The vulnerability stems from insufficient escaping in participants' name rendering. Moodle's participants table (participants_table.php) handles user name display. The col_fullname method typically formats user names for display. If it used raw user input without applying Moodle's context-aware escaping (format_string()/s()), it would introduce XSS. This matches the advisory's description of 'insufficient escaping in participants page table' and follows Moodle's pattern of column rendering methods in table classes.