Always the last place you think. At least your site has had a scan of its innards performed.
wp-header is another place where hackers sometimes hide malicious junk.
You might want to reinstall the WordPress core files manually. Have you done that before? I suspect you have done so but for benefit of those who haven't, in general you'll need to:
1) download the WordPress zip file
2) unzip it,
3) remove the wp-content folder from the unzipped file,
4) rezip the remaining package,
5) upload the rezipped file to your server,
6) copy all your WP files to a backup folder,
7) delete everything except for wp-content, your backup folder and the uploaded zip file,
8) decompress the zip file and reload your site to make sure it works.
9) if it doesn't work, restore the backup files.
10) if it does work (and it should), you ought to be safe to remove the backup files.
Hitting the Update/Reinstall WordPress button doesn't replace all core files so the manual method is best.
The Wordfence guys can be contacted at http://www.wordfence.com. Blog comments work well to get Mark's attention.
Worrying that Wordfence missed this one.