The only correct solution
(Other answers I see are faulty, vulnerable or incomplete. All of them can be bypassed.)
This plugin does correctly:
class DisableMailChange
{
public function __construct()
{
//prevent email change
add_action( 'personal_options_update', [$this, 'disable_mail_change_BACKEND'], 5 );
add_action( 'show_user_profile', [$this, 'disable_mail_change_HTML'] );
}
public function disable_mail_change_BACKEND($user_id) {
if ( !current_user_can( 'manage_options' ) ) {
$user = get_user_by('id', $user_id ); $_POST['email']=$user->user_email;
}
}
public function disable_mail_change_HTML($user) {
if ( !current_user_can( 'manage_options' ) ) {
echo '<script>document.getElementById("email").setAttribute("disabled","disabled");</script>';
}
}
}
new DisableMailChange();