Does anybody know is Moodle OWASP compliant? If it is, how can I verify it?
I don't know of an official external OWASP compliance process, but yes Moodle is aware of OWASP, and has a Security policy for developers that references OWASP here:
It is important to note that this is often not the case for 3rd party plugins that do not come with the standard Moodle release - this also includes plugins that link to commercial products, and plugins that are not free/open-source and require a subscription to use.
If a plugin is not registered in the official moodle.org plugins database it's unlikely it has been reviewed for compliance with Moodle coding/security/performance guidelines. Plugins that are registered in the plugins db have typically been reviewed at least once by a senior developer, and have a public bug tracker that you can look at to see if there are any known unresolved security issues that have been reported.
Does that help? - if not it might help to further understand the context of your question.