Imagine a commentbox, where each comment has to be approved by the moderator in his backend.
If the backend used GET requests for the comment moderation, the url to moderate a post should look something like this:
If some evil person posted a comment and knew their postid (lets say
12) they could try to email you a link to
http://yourdomain.com/moderate/allow/12 with a caption that says Cute cat gifs, you would click on it and BOOM the comment would be published…
How about links that would delete valuable content? Issue a financial transaction over 2000€ to somebody else?