This Premium WordPress plugin and theme have been compromised – here's how to check your website hasn't been infected

News
By published

BuddyBoss had its update server compromised

WordPress logo on mobile
(Image credit: Shutterstock)
  • Ongoing cyberattack compromises BuddyBoss update system
  • Malicious updates steal admin credentials, Stripe keys, and databases
  • Hundreds of sites already hit; thousands more at risk, admins urged to disable auto-updates and rotate credentials

A major cyberattack against websites running the BuddyBoss WordPress plugin is currently ongoing, and users are urged to secure their assets or risk complete compromise and website takeover.

BuddyBoss is a WordPress platform and theme people can use to create online communities, membership sites, and e-learning platforms. It apparently has 50,000 customers, including 27,000 BuddyBoss Platform and BuddyBoss Theme package users.

According to Cybernews, an unidentified French-speaking threat actor somehow broke into the system that delivers software updates for BuddyBoss. There, they used Claude to help write malicious code and figure out how to push it to the update server.

Article continues below

Hundreds of compromised sites

Popular AI tools such as Claude have strict guardrails that prevent this kind of abuse, but the attackers managed to trick it (likely by pretending it’s a harmless hacking challenge).

After managing to insert malware into the updates, they simply waited for users to install them, compromising their websites in the process. This attack was first spotted on March 19, it was said. The malware was designed to steal admin passwords and API keys, copy entire databases, and open a backdoor to grant remote control access.

According to Cybernews, some of the data already stolen in the campaign includes Stripe payment keys, making this campaign particularly worrisome.

Compromised versions are BuddyBoss Platform 2.20.3, and BuddyBoss Theme 2.19.2. All website admins using any of these are urged to temporarily disable automatic updates, revert to server backups made before updating to these versions, and then analyze their server logs for potential indicators of compromise. Finally, all passwords, API tokens, and other credentials, should be rotated as soon as possible.

Cybernews says “hundreds of websites” have already been compromised, with “thousands” more remaining in danger. At press time, at least 309 websites have had their credentials and databases exfiltrated.

Via Cybernews

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.