Being able to inject something like "<--! hello" into a page title by adding "%3C--!%20hello" to the url is not a cross site scripting vulnerability. It only becomes a cross site scripting vulnerability if something injected into the url contains a script that will actually be executed because the site does not sanitize the url and literally injects the passed contents into the DOM.
So the test that your IT is using is not entirely valid.
However, webwork is vulnerable to a cross site scripting attack that we now have a mechanism to fix. The vulnerability was reported in https://webwork.maa.org/moodle/mod/forum/discuss.php?d=4295. This will be fixed for the next release.
WeBWorK Main Forum
WeBWorK 2.18 cross-site scripting vulnerabilities
This forum has a limit to the number of forum postings you can make in a given time period - this is currently set at 10 posting(s) in 1 day