Some of the pages that are exploited do use POST though. If it accepts authorization through a cookie and doesn't require an XSRF token or JSON content type, it is probably vulnerable.

But yes in general making actions happen in response to a GET request is generally a bad idea, since these are often cached and considered "safe" to retry.