Refresh: Settings: Warn when open registration and new user default is privileged

src/wp-admin/includes/class-wp-site-health.php

@@ -1857,6 +1857,42 @@ public function get_test_available_updates_disk_space() {
 		return $result;
 	}
 
+	/**
+	 * Tests if registration is open to everyone and the default role is privileged.
+	 *
+	 * @since 6.9.0
+	 *
+	 * @return array The test results.
+	 */
+	public function get_test_insecure_registration() {
+		$users_can_register = get_option( 'users_can_register' );
+		$default_role       = get_option( 'default_role' );
+
+		$result = array(
+			'label'       => __( 'Open Registration with privileged default role' ),
+			'status'      => 'good',
+			'badge'       => array(
+				'label' => __( 'Security' ),
+				'color' => 'blue',
+			),
+			'description' => '<p>' . __( 'The combination of open registration setting and the default user role may lead to security issues.' ) . '</p>',
+			'actions'     => '',
+			'test'        => 'insecure_registration',
+		);
+
+		if ( $users_can_register && in_array( $default_role, array( 'editor', 'administrator' ), true ) ) {
+			$result['description'] = __( 'Registration is open to anyone, and the default role is set to a privileged role.' );
+			$result['status']      = 'critical';
+			$result['actions']     = sprintf(
+				'<p><a href="%s">%s</a></p>',
+				esc_url( admin_url( 'options-general.php' ) ),
+				__( 'Change these settings' )
+			);
+		}
+
+		return $result;
+	}
+
 	/**
 	 * Tests if plugin and theme temporary backup directories are writable or can be created.
 	 *
@@ -2818,6 +2854,10 @@ public static function get_tests() {
 					'label' => __( 'Autoloaded options' ),
 					'test'  => 'autoloaded_options',
 				),
+				'insecure_registration'        => array(
+					'label' => __( 'Open Registration with privileged default role' ),
+					'test'  => 'insecure_registration',
+				),
 				'search_engine_visibility'     => array(
 					'label' => __( 'Search Engine Visibility' ),
 					'test'  => 'search_engine_visibility',

src/wp-admin/includes/template.php

@@ -967,13 +967,17 @@ function parent_dropdown( $default_page = 0, $parent_page = 0, $level = 0, $post
  * Prints out option HTML elements for role selectors.
  *
  * @since 2.1.0
+ * @since 6.9.0 Added $editable_roles parameter.
  *
- * @param string $selected Slug for the role that should be already selected.
+ * @param string $selected       Slug for the role that should be already selected.
+ * @param array  $editable_roles Array of roles to include in the dropdown. Defaults to all roles that the current user is allowed to edit.
  */
-function wp_dropdown_roles( $selected = '' ) {
+function wp_dropdown_roles( $selected = '', $editable_roles = null ) {
 	$r = '';
 
-	$editable_roles = array_reverse( get_editable_roles() );
+	if ( null === $editable_roles ) {
+		$editable_roles = array_reverse( get_editable_roles() );
+	}
 
 	foreach ( $editable_roles as $role => $details ) {
 		$name = translate_user_role( $details['name'] );

src/wp-admin/options-general.php

@@ -304,7 +304,27 @@ class="<?php echo esc_attr( $classes_for_button ); ?>"
 <tr>
 <th scope="row"><label for="default_role"><?php _e( 'New User Default Role' ); ?></label></th>
 <td>
-<select name="default_role" id="default_role"><?php wp_dropdown_roles( get_option( 'default_role' ) ); ?></select>
+	<?php
+	/**
+	 * Filters the roles to be excluded from the default_role option.
+	 *
+	 * @since 6.9.0
+	 *
+	 * @param array $roles_to_exclude Array of roles to exclude from the dropdown. Defaults to administrator and editor.
+	 */
+	$excluded_roles = (array) apply_filters( 'default_role_dropdown_excluded_roles', array( 'administrator', 'editor' ) );
+
+	$editable_roles = array_reverse( get_editable_roles() );
+
+	$selected = get_option( 'default_role' );
+
+	foreach ( $editable_roles as $role => $details ) {
+		if ( in_array( $role, $excluded_roles, true ) && $role !== $selected ) {
+			unset( $editable_roles[ $role ] );
+		}
+	}
+	?>
+	<select name="default_role" id="default_role"><?php wp_dropdown_roles( $selected, $editable_roles ); ?></select>
 </td>
 </tr>