There are many ways to accomplish such an attack but he probably did something with a script as you suggested. I'd be willing to bet he also got more than just one moderator's password, especially if other moderators or admins read the topic he had it in.
If you want to prevent this from happening again you need to upgrade to the newest version (if you're not already using it) and disable HTML on your community.
Unfortunately there are just too many ways for people to get around the HTML filters and it can never be 100% fail safe. By having it enabled you're at higher risk.
There are a couple thing you should do immediately since you were compromised to prevent more attacks by the same person.
- Check all recent posts for scripts and remove them.
- Change all your moderator's and admin password's.
- Change your FTP password(s)
- All your passwords should be unique...don't have the same password for an admin AND your ftp for example.
- Use letter and number combinations for all your passwords and don't use words that can be found in any dictionary.
- Manually check all the pages, scripts, and graphics on your server to ensure everything is what it's supposed to be and not another script that can be used to gain access back in.
- Search your members directory to ensure no new Admins were added.
Good luck!