I stumbled over this fix in Subs-Post.php
// Now fix possible security problems with images loading links automatically...
$message = preg_replace_callback('~(\[img.*?\])(.+?)\[/img\]~is', 'action_fix__preg_callback', $message);which prevents bogus [img]/index.php?action=DANGEROUS[/img] images which cause the user's browser to perform the DANGEROUS action from being included and shown to the user reading said post.
The fix replaces "action=" with "action-" and was probably included because of this advisory: http://websec.ca/advisories/view/SMF_CSRF_Filter_Bypass
However, it has always been and is still possible to include images with such an "action"-URL by simply pointing to an HTTP-redirect, e.g. [img]http://bit.ly/blabla[/img] with http://bit.ly/blabla redirecting to /index.php?action=DANGEROUS
In summary: this fix never worked, and should therefore be removed. The underlying problem that this fix was addressing should be fixed directly by e.g. introducing CSRF protection tokens where they are still missing (e.g. search).
This issue seems to be still present in 2.0.12