Thanks for responding Eli.
I was able to remove all the scripts using SQL replace as you suggested. In case anyone else ever has this issue, I will note that I was able to escape the single quotes by inserting two single quotes in their place and I was able to escape newlines with \n
so, the SQL command looked like this:
SET post_content = REPLACE (post_content,’<malicious js>’, ‘ ‘)
Obviously I would recommend backing up your database before attempting a command like this.
I am new to WordPress, having previously worked only with Drupal in terms of CMSs. In an attempt to plug the security hole that could have allowed this hack, I have deleted a bunch of old users that were not in use, changed the passwords for active users, changed the DB password, updated WordPress and all plugins to the latest versions, applied your plugin’s Login patch, and asked my contact to notify the server administrator so they may change any relevant passwords.