My XML sitemap contains unwanted content, unlike the HTML sitemap. What can I do?

My website has just recovered from an attack. I see that my XML sitemap still contains spam content:


http://xn--qucu-hr5aza.com/7pwclknq****hux0rx.so
2020-04-13
daily


http://xn--qucu-hr5aza.com/a0***u
2020-04-13
daily


http://xn--qucu-hr5aza.com/mp412******msm2ayay
2020-04-13
daily

However, my HTML sitemap is clean.

I am using the Google Sitemap Generator (XML) for WordPress, but there is no "refresh" or "reindex" button.

Is there a way to handle this? And why can the attacker modify my sitemap? Assuming they don't have my FTP password.