You send a payload → the application processes it → the bug triggers.
Second-order vulnerabilities work very differently.
Here, the payload is stored safely at first, sometimes even sanitized or accepted normally. The real vulnerability only appears later, when another part of the system processes that stored data.
This delay makes second-order bugs some of the most overlooked and most valuable findings in bug bounty.
