I believe just like other PR builder plugins, this one is affected by the SECURITY-170 but is not on the page that tracks them: https://wiki.jenkins-ci.org/display/JENKINS/Plugins+affected+by+fix+for+SECURITY-170

08:23:33 FATAL: Command "git rev-parse origin/${targetBranch}^{commit}" returned status code 128:
08:23:33 stdout: origin/${targetBranch}^{commit}

This used to work with Jenkins 2.2