I have created a role using user-role-editor 3.9 called 'SiteAdministrator' copied from 'Editor' role but with more capabilities including creating, listing, editing and removing user. Also, removed the capability of 'Edit Dashboard' and 'Promote Users' on this 'SiteAdministrator' role.
This is all what done to create a level/role inbetween of editor and administrator role in wordpress.
'Administrator' (wp admin) -> 'SiteAdministrator' -> 'Editor'
Now, I have created a user with this custom 'SiteAdministrator' and logged-in with it. The one major issue found, this user has now capability to create users and set their role above itself for example even adminitrator! This is major issue and he can gain control of site as administrator by creating administrator users. He should be able to create/edit users but must not above his own role.
In fact I want to create a role who can manage each and everything in the site similar to what editor can do but additional capability of managing users same or below his role only. He must not be able to edit administrator user.
Further, he should not able to see or select the 'administrator' role in dropdown while creating/editing user, and also not able to see administrator users in the users list.
Please someone let me know in what way I can achieve it, and throw some light on this major security issue.