Below SQL query replaces the malicious script with a blank:
UPDATE wp_posts
SET post_content = REPLACE(post_content, '<script src=\'https://https://xyz/js.php?s=q\' type=\'text/javascript\'>', ' ')
Below SQL query replaces the malicious script with a blank:
UPDATE wp_posts
SET post_content = REPLACE(post_content, '<script src=\'https://https://xyz/js.php?s=q\' type=\'text/javascript\'>', ' ')