My XML sitemap contains spam content, while the HTML sitemap is not. What I can do?


My website just recovered from an attack. I found out that my XML sitemap still contains spam content:


http://xn--qucu-hr5aza.com/7pwclknquax4hdhux0rx.so
2020-04-13
daily


http://xn--qucu-hr5aza.com/a0obuu
2020-04-13
daily


http://xn--qucu-hr5aza.com/mp41229014ewmsm2ayay
2020-04-13
daily

However, my HTML sitemap is clean.

I am using the Google Sitemap Generator (XML) for WordPress, but it doesn't have an "update" or "reindex" button.

Is there a way to deal with this? And why can the attacker change my sitemap? Assuming you don't have my FTP password.