Indeed, user embedded pictures can fire GET requests while can not make POST requests. But this is not a problem if you don't allow users to embed pictures, or you authenticate the GET request somehow. Anyway GET requests are just fine.

The same would have worked with a POST endpoint.

The story url only would have to point to a web page that creates the upvote post request via JS.

That runs into CORS protections though.

CORS is a lot less strict around GET as it is supposed to be safe.

Nope, it would not have been prevented by CORS.

CORS prevents reading from a resource, not from sending the request.

If you find that surprising, think about that the JS could also have for example created a form with the vote page as the target and clicked on the submit button. All completely unrelated to CORS.

Even mdn calls it "violating the CORS security rules" instead of SOP rules: https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/COR...

Anyway, this is lame low effort trolling for some unknown purpose. Stop it.