I have a question on security related please reply

Hello today I move from vestacp to hestiacp. I am using some nulled scripts, plugins, themes and may be those scripts have backdoord.
I want to know if one of my site hacked, if hacker upload shell then can he access all of my server.
Note: I am using different site on different user not as a admin

We have limited shell_exec on websites in a few releases before…

And patched multiple security issues including:
Security Vulnerability VestaCP with Nginx + PHP-FPM · Issue #2292 · serghey-rodin/vesta · GitHub