This just in via WordFence email: Wordfence <firstname.lastname@example.org>
AJAX call creates a user named wpservices with the email email@example.com and the password w0rdpr3ss. With this user in place, the attacker is free to install further backdoors or perform other malicious activity.
Block these IPs in cPanel / IP Blocker:
yourservice.live – Hosts the script responsible for rogue administrator creation. Also associated with other malvertising scripts in earlier incarnations of this campaign.
adsnet.work – Hosts ad network scripts for redirection and popups.
IP Addresses 18.104.22.168
Details please review their article at https://www.wordfence.com/blog/2019/08/ongoing-malvertising-campaign-continues-exploiting-new-vulnerabilities/