The biggest threat with any API is that its an attack surface. You are exposing functionality that could be vulnerable to common vulnerabilities such as SQL Injection and Directory Traversal.
When it comes to a WCF response, it depends how the data is being used. For instance if you are fetching data from a WCF interface and then building a query you could still be vulnerable to SQL Injection! If you are fetching that data and then displaying it on an HTML page then you cloud be vulnerable to XSS.
The vulnerabilities that are possible depend entirely on how the data is being used. You shouldn't trust any data source, not even your own database. Make sure that you sanitize data at the time of use. Use parametrized quires to stop SQLi.