An attacker can use any number of techniques to trick a trusted user into sending a request unintentionally. This request can potentially perform an unwanted action, bypassing any safeguards that might be in place.