If you built it yourself, it's highly likely nobody ever found it. Even back then most of the "script kiddies" on the internet were using pre-packaged exploits for known software, not searching every single possible IP for forms with upload buttons.

As someone who was a highschooler 2008-2012 who built their own simple PHP apps for things: Script kiddies of the time definitely were scanning for arbitrary forms. Not necessarily trying to exploit the code, but just anything that would allow them to post spam.

I had a big data loss event back in 2008ish when someone found out, I'm guessing, that they could upload a PHP file to an upload-anything form on my home server. I thought I was keeping it secure by disallowing ".php" files, but I think some MultiView option I had set in Apache allowed them to upload .php.somethingelse and still have it get executed, blowing away, sadly, all my Subversion repos. Switched everything I could salvage to Git after that and never looked back. Also I no longer trust Apache to directly serve user-uploaded files. :P

Long story short, someone apparently went to a non-zero amount of effort to hack my homebrew file-upload form.