Thank you all for your support! It turns out the issue was caused by a filter from our hosting provider that mistakenly flagged the behavior as an SQL injection. They’ve now disabled that filter, and everything is working properly.
Appreciate the quick response, @wpmudev-support2! I’ll check in with my client and circle back soon
