=== Balada Fix === Contributors: Donate link: Tags: security, rest api, balada, injector, wp-json Requires at least: 5.0 Tested up to: 6.9 Stable tag: 1.1.0 Requires PHP: 7.2 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html Blocks unauthenticated access to vulnerable REST paths. Add paths in Settings → Balada Fix. Only admins can use them. == Description == Balada Fix protects your site from unauthenticated abuse of specific WordPress REST API endpoints. Such endpoints (for example the tagDiv theme's `wp-json/tdw/save_css`) are often targeted by the "Balada Injector" and similar campaigns to inject malicious scripts. * Add one or more REST path patterns in **Settings → Balada Fix** (one per line). * Only logged-in administrators with the `edit_theme_options` capability can access those paths. * Unauthenticated or unauthorized requests receive a 403 Forbidden response. Default protected path: `tdw/save_css` (tagDiv / Newspaper theme vulnerability). == Installation == 1. Upload the plugin files to `/wp-content/plugins/balada-fix/`, or install through WordPress Plugins → Add New → Upload. 2. Activate the plugin through the Plugins screen. 3. Go to Settings → Balada Fix to review or add blocked paths (one per line, e.g. `wp-json/tdw/save_css` or `tdw/save_css`). == Frequently Asked Questions == = Which paths should I add? = Add the REST path that is known to be vulnerable and should only be used by admins. Example: `tdw/save_css` for the tagDiv Composer / Newspaper theme. You can use the full path like `wp-json/tdw/save_css` or the short form `tdw/save_css`. = Will this break my theme? = No. Legitimate use (when you are logged in as an administrator) continues to work. Only unauthenticated or non-admin access to the listed paths is blocked. == Changelog == = 1.1.0 = * Added Settings → Balada Fix page to configure blocked paths. * Support for multiple paths (one per line). * Default path: tdw/save_css. = 1.0.0 = * Initial release. Blocked unauthenticated access to tdw/save_css. == Upgrade Notice == = 1.1.0 = You can now add and edit blocked paths in Settings → Balada Fix (one per line).