kindeditor is vulnerable to remote file upload. The library does not check whether a user has the permission to upload files to the system, allowing a malicious user to upload an arbitrary file to the system through a POST request to the php/upload_json.php
file.