Imagine a commentbox, where each comment has to be approved by the moderator in his backend.
If the backend used GET requests for the comment moderation, the url to moderate a post should look something like this:
http://yourdomain.com/moderate/:decision/:postid
For example:
http://yourdomain.com/moderate/allow/1http://yourdomain.com/moderate/deny/2- …
If some evil person posted a comment and knew their postid (lets say 12) they could try to email you a link to http://yourdomain.com/moderate/allow/12 with a caption that says Cute cat gifs, you would click on it and BOOM the comment would be published…
How about links that would delete valuable content? Issue a financial transaction over 2000€ to somebody else?