This PR solves the issue and has already been merged: https://github.com/jenkinsci/repository-connector-plugin/pull/19
It seems the developer(s) are not actively involved with managing the plugin.
If feasible, download the source, build it (mvn package) and use the plugin.
The workaround may help but has these issues:
1 - Keep undefined parameters to true brings back the security risk.
2 - Set safe parameters. However each developer will then have to provide the parameter names to the Jenkins admin making it a tedious task for the admin.