When a moderator or admin closes a thread, it sends their session ID in the query string to modcp.php.
e.g. http://example.com/phpBB/modcp.php?params=blablabla&sessionID=123
Once that's happened and the thread is closed, they are then redirected back to the closed thread.
The problem with that is if an attacker posts an image on the thread, they can then can check the referer header which, when a mod/admin closes a thread, will be the modcp URL with the session ID.
That gives the attacker the session ID allowing them to be authenticated as the moderator/admin that clsoed the thread.