Summary
Hackers are compromising WordPress sites to inject malicious scripts. These scripts can either steal cryptocurrency from visitors’ wallets or hijack their browsers to launch brute-force attacks against other websites. The hackers are likely building a larger pool of compromised sites to launch more extensive attacks in the future.
It’s absurd that XMLRPC is still not disabled by default.
It’s been an unnecessary weak point in the attack surface for many years.