Without logging into your admin panel, hacker can access to your site via:
http://[www.yoursite.com]/admin/categories.php/login.php?cPath=&action=new_product_preview
https://[www.yoursite.com]/admin/file_manager.php/login.php
To patch your site, open /admin/includes/application_top.php
find: $current_page = basename($PHP_SELF); around Line 136
replace:
$current_page = basename($_SERVER['SCRIPT_NAME']);