Can users send 'malicious images' to your website this way?

Hello hashnoders :)

I recently asked a question about website security. To quote a part of the answer by JasonKnight:

their uploads of client records and information were not verified to actually be valid image file formats

While I was working on a project, I decided to use a third-party media storage service like Cloudinary. After a user submits the form with all of the relative info and images, the (image) input value looks like this (see red circle in console):

The question now arises, would I still need to confirm that the url is in fact an image when I request the url from Cloudinary and spit it out on my webpage? (That is, even if services like Cloudinary already do some validation on their servers)

If yes, can you explain how a person could fake an image and send some malicious PHP code to Cloudinary instead?

P.S. I'm using the console for testing purposes only. The data and image urls will actually go to a MySQL DB.