BuddyBoss platform compromised, hundreds of websites already hacked

Published: 20 March 2026
Last updated: 24 March 2026
BuddyBoss attack
Image by Cybernews.

Cybernews has discovered an ongoing attack against live servers running BuddyBoss, a premium WordPress platform for e-learning and online communities. Hundreds of websites have been compromised, and thousands remain in danger. Admins are advised to take immediate action: disable updates, revert any recent changes, and assume compromise.

Key takeaways:
  • Cybernews has discovered an ongoing campaign targeting websites running the BuddyBoss platform or theme, with attackers compromising hundreds of websites.
  • Malicious changes were uploaded to BuddyBoss update servers, which include credential harvesting capabilities and RCE.
  • Anthropic's large language model, Claude, was used by attackers to craft the attack chain and malicious updates.

The Cybernews research team has identified an active malicious campaign targeting the BuddyBoss ecosystem.

ADVERTISEMENT

A supply chain attack compromised the BuddyBoss WordPress plugin and Theme. A threat actor published malicious versions of the software on the company’s update server.

At the time of writing, 309 websites relying on these tools have already had their credentials and databases exfiltrated.

BuddyBoss is a software company that builds popular premium WordPress tools for creating online communities, membership sites, and e-learning platforms. BuddyBoss serves over 50,000 customers, 27,000 of whom use BuddyBoss Platform or BuddyBoss Theme packages.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Google News Follow us

“Thousands of websites are in danger of complete compromise. This attack allows threat actors to inject malicious code into official plugin and theme updates distributed to live WordPress websites,” Cybernews researchers warn.

Our researchers notified the company, which promptly started an internal investigation.

However, due to ongoing exploitation, releasing the findings immediately is also in the public's interest, allowing administrators to take immediate action and protect against the attack.

Cybernews has reached out to BuddyBoss for comment and will update this article with its response.

ADVERTISEMENT
Live Stripe payment keys found on attackers server exfiltrated from victim websites, BuddyBoss
Live Stripe payment keys found on attacker's server. Image by Cybernews.

What happened?

On March 19th, Cybernews security researchers discovered a publicly exposed server operated by a threat actor, which is part of the infrastructure used for attacks against the BuddyBoss ecosystem.

The Directory contained original source code, cloned from public GitHub repositories for BuddyBoss Platform and BuddyBoss Theme, as well as malicious versions modified by the attacker.

The tampered versions included credential-stealing functionality and were capable of establishing a reverse shell for remote control.

Comparison between official source code and changes made in the attacker's version, BuddyBoss
Official source code vs changes made by the attacker. Image by Cybernews.

“The contents of the exposed server confirmed the ongoing attack. It contained the logs, a list of compromised websites, exfiltrated credentials, as well as database dumps,” our researchers said.

“Most importantly, it also included a chat transcript exported from Claude, allowing us to retrace the steps taken to execute the attack.”

It appears that the threat actor initially obtained a private key protecting the BuddyBoss update server. Then they misused the Claude coding assistant to craft malicious updates for BuddyBoss Theme and BuddyBoss Platform.

attackers reverse shell receiver tool, BuddyBoss
Attacker's reverse shell listener/receiver. Image by Cybernews.
ADVERTISEMENT

Claude was then used again to find a way to publish the malicious update on BuddyBoss’s update server. The compromised versions were BuddyBoss Platform 2.20.3 and BuddyBoss Theme 2.19.2.

“These versions were updated with automated credential harvesting functionality, compromising all servers running them. Attackers are also capable of establishing remote shells on affected servers for remote code execution,” Cybernews researchers confirmed.

exfiltrated database dumps found on attackers server, BuddyBoss
exfiltrated database dumps. Image by Cybernews.

The attackers have already collected credentials and database dumps from dozens of compromised websites.

Based on the logs and exfiltrated files found on the attacker’s server, it seems that the attack started on March 17th, 2026, at 16:20, timezone unknown.

“We saw new BuddyBoss customers' servers being compromised in real time, which underscores the urgency to protect the servers,” our researchers said.

exfiltrated credentials sorted by victim server ip, BuddyBoss
Exfiltrated credentials by server IP. Image by Cybernews.

The stolen credentials are extremely sensitive – they include live secret keys for Stripe, an online payment service. These keys can be abused to steal money and sensitive financial data.

What needs to be done immediately?

All website administrators who use BuddyBoss Theme or BuddyBoss Platform are advised to do the following:

ADVERTISEMENT
  • Temporarily disable automatic updates.
  • Revert to server backups made before updating to BuddyBoss Platform 2.20.3 or BuddyBoss Theme 2.19.2
  • Inspect and monitor server logs for potential indicators of compromise.
  • Rotate all exposed passwords, API tokens, and other credentials.

Cybernews also recommends that BuddyBoss investigate the update servers immediately, confirm whether the malicious updates are still present, remove any compromised code from potentially compromised servers and secure them, and inform authorities and customers, providing details of the investigation and the required mitigations.

Files changed in the malicious updates:

  • BuddyBoss Platform: bp-loader.php (SHA256 Checksum: ddda12b545a7b817883641421cf6a213f4c5100effa40cdb55018efce11bbe42)
  • BuddyBoss Theme: functions.php (SHA256 Checksum: 5027a0e77eca13a5cc120d3e37262c4073452569ad341cd1558051b5a91ce144)

Attackers use the same launchpad server as both a data exfiltration endpoint and a remote connection endpoint to compromised servers.

The risks cascade down the supply chain

The full scope of the compromise is not yet known. Hundreds of compromised servers could create a cascading effect, leading to more compromises of the underlying infrastructure and users.

“What’s unique about this attack is the supply chain compromise. Attackers do not target individual WordPress websites, which is the usual approach, but are waiting for servers to be updated. The update mechanism itself spreads the malicious payload, infects websites that have their admins manually install the malicious update, or have automatic updates enabled,” our researchers said.

log of exfiltated credentials from victims with timestamps, BuddyBoss
Log of detailed credentials from victims. Image by Cybernews.

This incident highlights the difficult choice software users have to make – they’re often urged to apply patches immediately to protect against discovered vulnerabilities. However, immediate updates expose them to supply chain risks.

ADVERTISEMENT

“It's becoming increasingly important to inspect the updates before installing, purposefully waiting, and confirming that it wouldn’t cause any issues. Many companies switch to the ‘n-1’ tactic, meaning they stay one version behind the most recent software version to manage the supply chain risk,” Cybernews researchers noted.

The unknown attacker is fluent in French

Cybernews couldn’t attribute the attack to any specific threat actor. However, the chat transcripts were in French, suggesting a possible link to the threat actor’s nationality.

“The transcripts saved by the threat actor reveal that the attack chain, for the most part, was performed by Claude, Anthropic’s large language model. The attacker likely used a jailbreak to convince the model to help with the attack,” the researchers said.

Claude Chat transcript found on attackers server
Claude chat transcript found on the attacker's server. Image by Cybernews.

It appears that hackers convinced a chatbot they’re playing a Capture The Flag (CTF) challenge – a commonly used practice in cybersecurity to improve skills, understand platforms and their weaknesses in a safe environment.

attacker_s server hosting payloads working files exflitrated data tooling, BuddyBoss
Attacker's server hosting payloads, exfiltrated data, tooling. Image by Cybernews.

What is BuddyBoss?

BuddyBoss is a private software company that was acquired by Awesome Motive in 2025. It develops BuddyBoss WordPress plugins, themes, apps, and other software tailored for small businesses building their own learning platforms and community websites.

BuddyBoss claims that their Plugin and themes are actively installed on over 27,000 servers.

ADVERTISEMENT

Awesome Motive is a company that started with developing its own WordPress plugins, but shifted to acquiring other companies, building, and maintaining WordPress Plugins.

Disclosure timeline

Threat Actor’s server discovered: March 19th, 2026, 06:54 UTC

Disclosure to BuddyBoss: March 19th, 2026, 12:29 UTC

BuddyBoss confirmed the receipt of disclosure and the start of internal investigation: March 19th, 2026, 13:40 UTC

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked