Without origin verification, the target website cannot distinguish between legitimate requests from its own pages and malicious requests from an attacker's site. The attacker can craft a malicious website or script that sends requests to a target website where the user is already authenticated.

This vulnerability class is not about a single specific user input or action, but rather a series of actions that lead to an insecure cross-origin communication.