Moodle is vulnerable to access restriction bypass. If an authenticated attacker is a member of more than one group, Moodle allows the user to post to all groups even if the user does not have that capability. This is because it fails to enforce the moodle/site:accessallgroups
capability requirement.