OK, bear with me, because I haven't actually tested this.
If a null byte is passed as part of the target text, older versions of PHP/PRCE interpret that as the end of the string, which means that the user can pass a eval flag to execute the replacement text. The best explanation of it I've seen is here: https://bitquark.co.uk/blog/2013/07/23/the_unexpected_dangers_of_preg_replace
That null bug was fixed in PHP 5.4.7, which means that Mediawiki version ≥1.24 is immune as it requires 5.5.9. Any previous branches, like REL1_23, however, may have an arbitrary execution.
I don't have an old copy of PHP and Mediawiki around to test, but you are still distributing a REL1_23 branch, so I thought I should mention it.