WSDL files containing sensitive information must not be publicly accessible.
Some web services architectures require exposing a WSDL file. If this file contains sensitive information such as deprecated methods or administrative services, it should not be available to a wider audience than it requires. If it must be available on a very public network such as the internet, then it must not contain any sensitive information.
CWE-651: Exposure of WSDL File Containing Sensitive Information The Web services architecture may require exposing a Web Service Definition Language (WSDL) file that contains information on the publicly accessible services and how callers of these services should interact with them (e.g. what parameters they expect and what types they return).