This just in via WordFence email: Wordfence <email@example.com>
AJAX call creates a user named wpservices with the email firstname.lastname@example.org and the password w0rdpr3ss. With this user in place, the attacker is free to install further backdoors or perform other malicious activity.
Block these IPs in cPanel / IP Blocker:
yourservice.live – Hosts the script responsible for rogue administrator creation. Also associated with other malvertising scripts in earlier incarnations of this campaign.
adsnet.work – Hosts ad network scripts for redirection and popups.
IP Addresses 188.8.131.52
Details please review their article at https://www.wordfence.com/blog/2019/08/ongoing-malvertising-campaign-continues-exploiting-new-vulnerabilities/