The list of exploits comes from parsing the server logs of my sites.
The scanner only checks for the existence of the files and doesn't check their contents.
If it finds your "wp-login" or something similar it doesn't mean it's hacked or comprimised however it's a good idea to move it to a none standard location to make it harder for your site to get hacked.
Looks like one of your Wordpress core files is exposed to the public.
It's not the end of the world and it doesn't mean you've been hacked but it does mean it is a possible attack vector.
Do not delete them unless you know what you are doing! just find a plugin or setting that makes private to the public.