As Boone told you already, there are no known security issues with BuddyPress.
Can we figure this out? There must be a method for third parties to gain access to private groups, as it has occurred on my site.
I running the latest versions of WP and BP.
I use a modified version of ElegantTheme eStore.
I use WP eMember to protect content.
I don’t believe any other plugins could conceivably conflict with this issue.
I believe the person was using a program to access the content, as I have access to a cropped screen grab of the content from them and it doesn’t look like my site.
Since your site was compromised, and you are the resident expert with your configuration, we rely on you to fill in any gaps that you can.
If you get to the point where you’ve identified a clear and repeatable security issue with WordPress, BuddyPress, bbPress, or any other plugin, let is know by checking out the following page:
https://codex.wordpress.org/FAQ_Security
Thanks, and good luck.
Having the identical issue as above. Spammer registers for site, activates and then I find them in a private group. No request to join, no approval by Group Admin. The only clue I have is that when looking at their profile it says they belong to the private group but the button to the right still says “request permission”. Somehow bypassing the approval process.