## WooCommerce Core Component Exposes Admin & Storefronts to Critical RCE via Locutus Dependency (CVE-2026-32304)
A critical Remote Code Execution (RCE) vulnerability in a core WooCommerce JavaScript library exposes every merchant's admin panel and potentially storefront pages to attack. The `@woocommerce/number` package, which registers as the `wc-number` script in WordPress, depends on a vulnerable version of the `locutus` library (2.0.32). This version contains CVE-2026-32304, a flaw with a maximum-severity CVSS score of 9.8, stemming from unsanitized input in the `create_function()` method. The vulnerable code is loaded at runtime on any site using WooCommerce, placing the JavaScript execution context of countless online stores at direct risk.

The issue is deeply embedded in WooCommerce's architecture. The `locutus` dependency is locked in via the `@woocommerce/number` package's `package.json` file, which specifies `"locutus": "^2.0.16"`. This resolves to the vulnerable 2.0.32 version. Crucially, the problem cannot be fixed by downstream plugins or extensions. Major services like WooPayments externalize this core library through the `@woocommerce/dependency-extraction-webpack-plugin`, meaning they are forced to rely on the vulnerable copy provided by WooCommerce core itself, with no independent path to remediation.

The exposure is systemic. The fix is available in `locutus@3.0.14`, but it requires an update to the core WooCommerce monorepo. Until the dependency is upgraded, every WooCommerce-powered site carries this critical vulnerability in a script that is fundamental to its operation, creating a widespread and urgent security liability for the entire ecosystem.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: WordPress, Supply Chain Security, JavaScript, Vulnerability, E-commerce
- **Credibility**: unverified
- **Published**: 2026-04-01 10:27:04
- **ID**: 45095
- **URL**: https://whisperx.ai/en/intel/45095