=== Balada Fix ===
Contributors: 
Donate link: 
Tags: security, rest api, balada, injector, wp-json
Requires at least: 5.0
Tested up to: 6.9
Stable tag: 1.1.0
Requires PHP: 7.2
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Blocks unauthenticated access to vulnerable REST paths. Add paths in Settings → Balada Fix. Only admins can use them.

== Description ==

Balada Fix protects your site from unauthenticated abuse of specific WordPress REST API endpoints. Such endpoints (for example the tagDiv theme's `wp-json/tdw/save_css`) are often targeted by the "Balada Injector" and similar campaigns to inject malicious scripts.

* Add one or more REST path patterns in **Settings → Balada Fix** (one per line).
* Only logged-in administrators with the `edit_theme_options` capability can access those paths.
* Unauthenticated or unauthorized requests receive a 403 Forbidden response.

Default protected path: `tdw/save_css` (tagDiv / Newspaper theme vulnerability).

== Installation ==

1. Upload the plugin files to `/wp-content/plugins/balada-fix/`, or install through WordPress Plugins → Add New → Upload.
2. Activate the plugin through the Plugins screen.
3. Go to Settings → Balada Fix to review or add blocked paths (one per line, e.g. `wp-json/tdw/save_css` or `tdw/save_css`).

== Frequently Asked Questions ==

= Which paths should I add? =

Add the REST path that is known to be vulnerable and should only be used by admins. Example: `tdw/save_css` for the tagDiv Composer / Newspaper theme. You can use the full path like `wp-json/tdw/save_css` or the short form `tdw/save_css`.

= Will this break my theme? =

No. Legitimate use (when you are logged in as an administrator) continues to work. Only unauthenticated or non-admin access to the listed paths is blocked.

== Changelog ==

= 1.1.0 =
* Added Settings → Balada Fix page to configure blocked paths.
* Support for multiple paths (one per line).
* Default path: tdw/save_css.

= 1.0.0 =
* Initial release. Blocked unauthenticated access to tdw/save_css.

== Upgrade Notice ==

= 1.1.0 =
You can now add and edit blocked paths in Settings → Balada Fix (one per line).

== Screenshots ==

1. Screenshot installed plugin