Plex Media Server Weak CORS Policy

The Plex Media Server has a weak cross-origin resource sharing (CORS) policy. By default, an Access-Control-Allow-Origin header is returned by a media server with a value of '*', meaning any origin is allowed to send requests to the media server. A remote, unauthenticated attacker is able to exploit this to steal an X-Plex-Token and/or force a victim user to send requests to their own server without their knowledge. This would allow the attacker to, for example, access private media, change server settings, reboot media server services, etc.

This vulnerability would be exploited via a phishing attack, where a victim admin user would be tricked into logging into the attacker's Plex Media Server. The client-side code in the victim's browser, hosted by the attacker's media server, would then be able to access media server(s) that the victim administers. This scenario is shown in the PoC below.

Proof of Concept

In the image below, a victim user hosts a Plex Media Server at 34.207.124.74, and an attacker hosts a media server at 18.234.58.243. The victim user just logged into the attacker's server, and the following preflight request/response was observed.

Note, the IP addresses in the video differ from the previous example.