Using Breakdance on Multi-Site

Using Breakdance on WordPress Multi-Site is possible. Anyone with access to Breakdance will have access to the Code Block element, which will allow them to execute arbitrary PHP code. Do not grant Breakdance access to untrusted users.

Enabling Breakdance > Advanced > Allow SVG Uploads In The WP Media Library

This option is not enabled by default, because SVGs can contain malicious code. If you don’t trust the provider of the SVG, don’t upload the SVG, or better, use a plugin like https://wordpress.org/plugins/safe-svg/ that can handle the sanitization of SVGs for you.

Enabling Breakdance > Advanced > Apply the_content Filter

This option is not enabled by default and should not be enabled unless you have a need for it. Before enabling this option, you should understand the potential security implications. By default, Breakdance does not apply the_content filter to Breakdance-designed content. Enabling this option will make Breakdance run apply_filters(‘the_content’, …) on singular content created with Breakdance.

When apply_filters(‘the_content’, …) is run, shortcodes are executed. If your website displays dynamic data which is provided by users is not sanitized for shortcodes, a user could execute shortcodes. For example, if you allowed users to submit data through a form and then rendered the data inside Breakdance, and then user entered shortcodes into the form, if you enable this option, those shortcodes would be executed.

This attack is not specific to Breakdance. For more details, visit https://www.pritect.net/blog/wordpress-shortcode-injection-attack-vector.