Similar issue here (spam, malicious files and malicious code in themes header). WordPress was updated to the latest stable version but I can’t tell for sure that the issue started after the update of prior to it, because some domains have older malicious files than the update, while on other domains the malicious files are newer than the update.
For the moment we were not able to determine where the vulnerability is coming from but the code is doing a lot of things so I guess that completely deleting and reinstalling is a good start.
