Hi @bernieh,
As you’ve noted, this is just a profile image upload, not an actual hack (any more than setting your Twitter image to “I Hacked Twitter” would be proof of that). See Regarding Recent OJS Defacement Attacks for a blog post about it.
There’s a work-around documented in the forum that disables the JBImages plugin entirely, removing the ability to upload images in TinyMCE rich text controls. It’s described here: Misuse of feature in PKP OCS 2.3.6 - #4 by asmecher
I don’t think you’ll see unintended consequences with your work-around either.
Regards,
Alec Smecher
Public Knowledge Project Team