The xmlrpc.php and wp-cron.php files in WordPress are often targets for attackers due to their potential misuse for DDoS, DoS, and brute-force attacks. When enabled, they can be exploited to overload the server, disrupt service, or attempt unauthorized logins, posing significant security risks.
https://hackerone.com/reports/2299069