Moodle Codebase Exposes Local File Inclusion Risk via Database-Driven `require_once`

A critical security flaw has been identified within the Moodle learning platform's core code, exposing a potential path for local file inclusion (LFI). The vulnerability resides in the `executeService()` method of the `BackgroundServiceRunner` class and its legacy counterpart, `execute_background_services.php`. These components dynamically load PHP include files by reading file paths directly from the `background_services` database table and executing them via `require_once` calls, without any prior validation of the supplied path. This design allows a single compromised or malicious database entry to force the server to include and execute arbitrary local files.

The risk is directly tied to the platform's architecture, where executable code paths are stored as user-controlled data. An attacker with write access to the `background_services` table—potentially through a separate vulnerability or misconfiguration—could inject paths containing directory traversal sequences (`..`), PHP stream wrappers (`php://`, `data://`), or other malicious payloads. The current code lacks safeguards to reject these patterns or to verify that the final resolved path remains securely confined within the application's designated `fileroot` directory.

While exploitation is contingent on an attacker first obtaining database write privileges, making this a defense-in-depth issue, the pattern itself represents a significant architectural weakness. The internal security note explicitly warns that this unsafe practice "may exist in other places where include paths are stored in the database," urging a broader code audit. The flaw was uncovered during an automated Copilot code review, highlighting how AI-assisted audits can surface hidden design-level risks in large, legacy codebases like Moodle's, which is foundational to global education infrastructure.