how real is this security problem?
You shouldn’t be concerned by this unless you’re retrieving user agents and making raw SQL queries. I recommend you avoid both of those, but for unrelated reasons.
If you are piping raw user agents into raw SQL queries, and you would know if you were doing this as it’s a very specific thing to do, stop that.
Think of it as as a house inspector saying your house could be vulnerable to having a horde of rabid bats smash your awning, and they tested this by flying a bat and noticing it was not stopped by security measures. Does that mean you install anti-bat devices? Does your house even have an awning? Is a bat swarm high on your list of security concerns?
Tools like this are usually non-CMS specific, and may raise the alarm on issues that don’t apply, or are purely theoretical.
how to score better on it?
You didn’t mention the testing tools, it looks like they want you to maintain a whitelist of user agents and then only return HTML if your user agent matches. I wouldn’t recommend this, as it’s a big maintenance burden to protect against a theoretical attack you aren’t vulnerable to.
if plugins are not available, can we assume that coding is needed?
I would be deeply suspicious of any plugins that try to solve this for you, although recommendations are off topic here anyway.
If you wanted to actually implement this, do it at the Apache/Nginx level.
My recommendation though? Ignore this. They’ve devised a solution to a theoretical attack, then wrote a test to see if you implemented it, then declared that you’re vulnerable because you didn’t use their specific solution to a problem that won’t affect you unless you explicitly added the problem in.
Nobody can tell you that your site is secure, that isn’t how security works, and nobody can say you are or are not vulnerable to a type of attack without actually running an exploit. Take the results of this scan with a hefty pinch of salt.