"CVE-2026-4006": How WP_Post's Magic Fallback Turned a Missing URL into Admin XSS

Most XSS bugs are obvious: unescaped input, wrong function, move on. This one wasn't. I dove into a conditional branch that only fires when an author has no URL, outputting data that absolutely shouldn't. This is a full technical walkthrough: from recon to PoC that takes a Contributor account to Admin XSS.