1 admin create a album and upload a photo
2 member-1 login and send the photo as greeting card to member-2
3 member-1 use burpsuite hijack the request, which can be like
POST /adm_program/modules/ecards/ecard_send.php HTTP/1.1
....
admidio-csrf-token=5MWloNNqzipYc1YKQVvW2pDMkSBmn7&submit_action=&photo_uuid=bb7538ba-6d68-443d-b769-dddac4aa3021&photo_nr=1&ecard_template=postcard.tpl&ecard_recipients%5B%5D=4&ecard_message=%3Cp%3Etest%3C%2Fp%3E%0D%0A&btn_ecard_submit=
4 admin lock the album, The album is currently locked and will not be shown to visitors for this reason.
5 however, user1 repeat the request and find that the photo is sent successfully.