The server writes a base64-encoded PHP webshell to the plugins directory. The attacker then accesses /?plugin=evil&cmd=ls -la to execute system commands persistently.