A few possibilities, ordered by likelyhood:
Your django app may contain weaknesses that allows an attacker to execute arbitrary code as user www-data.
Django itself may contain a weakness that allows for remote code exection.
Apache itself may contain a weakness that allows for remote code execution.
In all three scenearios, an attacker gains access to the file system, or, in case you've chrooted your process, to the part of the filesystem in the chroot jail. An attacker being able to change your images probably isn't the biggest problem (depending on the nature and use of the images, of course). A much more dangerous problem is that he might place other code in your images directory, since www-data probably has write access to the directory. This means that
- An attacker can now place arbitrary code and data on your server and
- Access that code and data remotely, because it sits under the webroot of your apache server.
These two abilities are very useful for an attacker. He might start mining bitcoins on your server, or use it to send spam e-mails, or make it part of a botnet, or use it to distribute illegal material, and so on.
The image write permissions themselves are harmless in that they can't be exploited to gain access to your server, but they are a problem once an attacker has managed to breach your server, because they give him a place to stand on, so to speak.