This code will check every uploaded file and look if the string <?php is inside it, but it will only check the short open tag version in the files specified on preg_match function.
So, if you upload an image with a short open tag code, and save it as a php file, you will be able to bypass this validation system.
In order to explain the process, here are some images:
1– Create an image file using short open tags and some php code in the comment field.
2– Upload the image file and change the name field to a php file extension. (bypass javascript validation)
3– The server will respond with a 200 OK, letting you know that the file was sucessfully uploaded.
4– Uploaded file will be in the folder you specified on upload-dir field.
5– File can be executed and remote code execution can be done.
This issue can become more critical if you allow users to use JCE plugin as a primary plugin for comments.
This vulnerability has been patched in the JCE version 2.5.3.