Cybernews researchers have uncovered an active attack against BuddyBoss, a premium WordPress platform widely used for e-learning and community websites. The attack appears to involve compromised updates for both the BuddyBoss Platform and BuddyBoss Theme. Hundreds of websites have reportedly already been affected, and hundreds more may be at risk. Administrators are being urged to take immediate measures to secure their systems.
About BuddyBoss
BuddyBoss, acquired by Awesome Motive in 2025, serves over 50,000 customers, with roughly 27,000 using the affected platform and theme packages. The company develops WordPress plugins and themes designed to help businesses create websites, and e-learning platforms, providing tools for social networking, course management, and user engagement. BuddyBoss confirmed receiving the disclosure from Cybernews and has initiated an internal investigation. At the time of writing, it is still unclear whether the malicious updates have been fully removed or contained.
The Breach
According to Cybernews, the attackers obtained a private key for BuddyBoss’s update server. This access allowed them to release altered versions of BuddyBoss Platform 2.20.3 and BuddyBoss Theme 2.19.2. These versions reportedly included code that could steal credentials and allow remote access to affected servers. The malicious updates are said to automatically collect passwords and API keys and can establish reverse shells for remote control.
The attack came to light after Cybernews discovered an exposed server containing both the original BuddyBoss source code and the tampered versions. The server reportedly held logs, exfiltrated credentials, and database dumps from compromised websites. Researchers also noted chat transcripts in French suggesting the attacker may have used the Claude AI coding assistant to develop and deploy the malicious updates.
Extent of the Threat
Cybernews reports that at least 309 websites have already been compromised, with credentials and database information stolen. Among the data at risk are live secret keys for payment services such as Stripe, which could be misused to access financial information. Because the attack leverages the update mechanism itself, it is considered a supply chain compromise, allowing the malicious code to spread across multiple sites automatically.
Researchers indicate the attack began on March 17, 2026, with new compromises observed in real time. Sites that have not recently installed updates could still be vulnerable if automatic updates are active or if updates are applied without thorough verification.
Steps for Administrators
Cybernews advises administrators to disable automatic updates for BuddyBoss plugins and themes temporarily. It also recommends restoring backups made prior to the affected versions, closely monitoring server logs, and rotating any exposed credentials. The report emphasizes the importance of carefully inspecting updates before applying them, as waiting to adopt the latest version can reduce exposure to supply chain risks.
Conclusion
This incident underscores the vulnerability of software supply chains, particularly when update mechanisms are targeted. The combination of credential theft, remote access, and sensitive financial data exposure poses a significant risk to numerous websites. Administrators are encouraged to take the threat seriously and implement the recommended precautions while the full extent of the compromise continues to be assessed.
0 Comments