Put
[[#%3Cscript%3Ealert(1)%3C/script%3E|
On a line by itself, and you get an XSS.
It appears that this was fixed in the main code branch in r13302 by @GWicke, but the e1_img code patch was missed. The e1_img code path was added in r5693, so this issue basically effects all versions of MW ever.
@Legoktm helped discover this vulnrability