When the xp_cmdshell extended stored procedure is enabled, an attacker could use it to run BCP commands to export sensitive data from the SQL Server. Additionally, an attacker could use BCP to import malicious data into the SQL Server, which could be used to execute arbitrary code, create a new user with administrator privileges, or cause a denial of service attack.
It is also possible to use BCP to run other command-line utilities on the host operating system by using the "queryout" option. This can allow an attacker to execute arbitrary code on the host operating system under the context of the SQL Server service account, which could provide the attacker with privileged access to the host operating system.
For these reasons, it is important to properly restrict access to the xp_cmdshell extended stored procedure and use secure authentication methods when using BCP. It is also recommended to use the least privilege principle and only run BCP with the necessary permissions.