Prevent default_role being set to dangerous values

[dd32]

A number of vulnerabilities have occurred in plugins which allow setting arbitrary options, similar to #46705 I think it's worth preventing default_role being set to administrator while users_can_register is enabled.

I'd suggest it being implemented as a run-time filter on the default_role value so that plugins can disable the functionality (plus some UI magic), but basically:

function filter_default_role( $default_role ) {
  // $users_can_register = ....
  if ( $users_can_register && get_role( $default_role )->has_cap( 'manage_options' /* or other cap deemed useful, `publish_posts` could also be used */ ) ) {
    $default_role = 'subscriber';
  }
  return $default_role;
}

#46705 may render this invalid, but this would protect against an options-overwrite bug having much more impact (where a bot overwrites the above values, gets an administrator account, adds PHP to theme files or installs malicious plugins, etc).

[kraftbj]

I'd consider this a duplicate of #43936.

[desrosj]

I think that's fair, @kraftbj.

@dd32 feel free to reopen if you feel this is inaccurate. Otherwise, please add any additional thoughts to #43936.