Hi,
I find my server with same ‘hack’ uploaded using tyny_mce library.
Without login they can uploads files inside public/site/images/
They used those calls:
POST /lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/jbimages/ci/index.php/upload/%7B HTTP/1.1" 200
POST /lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/jbimages/ci/index.php/upload/english HTTP/1.1" 200
The dir public/site/images is write-able by www-data.