Without logging into your admin panel, hacker can access to your site via: http://[www.yoursite.com]/admin/categories.php/login.php?cPath=&action=new_product_preview https://[www.yoursite.com]/admin/file_manager.php/login.php To patch your site, open /admin/includes/application_top.php find: $current_page = basename($PHP_SELF); around Line 136 replace: $current_page = basename($_SERVER['SCRIPT_NAME']);