@ymf I assume you gave them the full whmscripts link mentioned above
The hosting company I dealt with confirmed that only a single account being unsafe can lead to other accounts on the same server being exploited.
There are some steps you can take yourself. You could and should reset your cpanel passwords and set a separate password for your database making sure that is not the same password as noted in that link & make your wpconfig file permission to be 600.
I'm not sure if this will protect your site if the cpanel patch has not been applied to the main server but it can't hurt.
If your site has been attacked in this way then it has come via cpanel I use a fair number of server hosting companies around the world and some are better than others. Unfortunately some companies are more helpful than others.
You may want to escalate from a customer service person to an actual engineer. If the hosting company is credible than they should be happy to double check that their processes have indeed been fully checked out.
Also note above: I can see I made a small but important mistake where I mentioned
"need to go into your wp-config and edit out the following code."
// define('DB_CHARSET', 'utf8');
Of course you just have to edit out the // at the front so that the charset is restored because it has been commented out. Whichever way you do it the charset in wpconfig need to be restored back to utf8.