Hacking my server

Hello, it’s been months that I have problems with my server that has been hacked. I did not notice it at first, because I was convinced that I had a configuration problem. It is by falling on a malicious script inserted in the webroot folder that persuaded me. So I would like to know how is it possible to have this script when I have never shared my password or give access to my server.

Would it be a security hole in CakePHP 3?

Yes it might be an issue with Cross-site Scripting (XSS) left opened by your developer.
Get it checked and sorted

It can be many things. If it is a shared hosting and your folder permissions allow your group or anybody write to that folder than it is a possible reason. If you have file upload in your application it may be vulnerable.
On the other way if you save your password to FileZilla / Total Commander than a malware can hijack it.