What you are trying to do is extremely dangerous from a security standpoint. Just keep that in mind.
That said, you have two options:
1. Change the permissions of your website's PHP user to be able to execute shell commands.
This is a terrible idea and you shouldn't do it because it is very dangerous and will allow any Web visitor to execute commands on your server.
2. Run the command via sudo, and add your PHP user as an accepted sudo user for the pandoc command.
echo shell_exec('sudo -u ThePHPUserOnYourBox -S /root/.cabal/bin/pandoc')
You should not do this because it is very dangerous. It's more secure than the first option but it's still wildly insecure.
Another option is to build some sort of proxy service that submits your pandoc requests to a worker server, does the conversion you want, sends that converted document someplace else, and notifies the web server that the work is complete.
In other words, pandoc needs to be completely off the webserver, on another server entirely. It needs to receive jobs from the webserver, process them independent of the webserver, and send the completed documents back to the webserver.