The fix for SECURITY-170 as described in this blog post means that Jenkins core filters out any parameters used that were not defined in the job: https://jenkins.io/blog/2016/05/11/security-update/
Since Stash Pullrequest builder defines lots of parameters at runtime, and then later tries to access them, a bunch of functionality in the plugin fails. See an example resulting failure at https://github.com/nemccarthy/stash-pullrequest-builder-plugin/issues/84
Presumably this plugin should define its own Action class to store this information, rather than relying on these parameters to be exported into the environment during a build.
This similar to issue seen in GHPRB plugin.