ADVERTISEMENT

BuddyBoss platform compromised, hundreds of websites already hacked

Cybernews has discovered an ongoing attack against live servers running BuddyBoss, a premium WordPress platform for e-learning and online communities. Hundreds of websites have been compromised, and thousands remain in danger. Admins are advised to take immediate action: disable updates, revert any recent changes, and assume compromise.

BuddyBoss attack

Image by Cybernews.

Ernestas Naprys
Ernestas Naprys Senior Journalist
Mar 20, 2026 Updated: 24 March 2026 4 min read
Key takeaways:
jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Add us as your Preferred Source on Google.
Live Stripe payment keys found on attackers server exfiltrated from victim websites, BuddyBoss
Live Stripe payment keys found on attacker's server. Image by Cybernews.

What happened?

Comparison between official source code and changes made in the attacker's version, BuddyBoss
Official source code vs changes made by the attacker. Image by Cybernews.
attackers reverse shell receiver tool, BuddyBoss
Attacker's reverse shell listener/receiver. Image by Cybernews.
exfiltrated database dumps found on attackers server, BuddyBoss
exfiltrated database dumps. Image by Cybernews.
exfiltrated credentials sorted by victim server ip, BuddyBoss
Exfiltrated credentials by server IP. Image by Cybernews.
ADVERTISEMENT

What needs to be done immediately?

  • Temporarily disable automatic updates.
  • Revert to server backups made before updating to BuddyBoss Platform 2.20.3 or BuddyBoss Theme 2.19.2
  • Inspect and monitor server logs for potential indicators of compromise.
  • Rotate all exposed passwords, API tokens, and other credentials.
  • BuddyBoss Platform: bp-loader.php (SHA256 Checksum: ddda12b545a7b817883641421cf6a213f4c5100effa40cdb55018efce11bbe42)
  • BuddyBoss Theme: functions.php (SHA256 Checksum: 5027a0e77eca13a5cc120d3e37262c4073452569ad341cd1558051b5a91ce144)

The risks cascade down the supply chain

log of exfiltated credentials from victims with timestamps, BuddyBoss
Log of detailed credentials from victims. Image by Cybernews.

The unknown attacker is fluent in French

Claude Chat transcript found on attackers server
Claude chat transcript found on the attacker's server. Image by Cybernews.
attacker_s server hosting payloads working files exflitrated data tooling, BuddyBoss
Attacker's server hosting payloads, exfiltrated data, tooling. Image by Cybernews.

What is BuddyBoss?

Disclosure timeline


ADVERTISEMENT