XML-RPC allows interaction between blog posts and some plugins. WordPress is essentially a blogging platform on steroids – although these days it is mostly used asa CMS for websites. XML-RPC is useful for automated content from feeds but is not used to its full for regular websites.
Hackers exploit XML-RPC as an opportunity to bruteforce password access.
XML-RPC use should be reviewed and the risks mitigated as part of a WordPress Security Maintenance check.